On Wed, Mar 04, 2015 at 05:12:06PM +0100, Per Thorsheim wrote:
> According to Twitter.com/einaros, the https://starttls.info/ database
> shows 43266 distinct SMTP servers (~12%) supports RSA Export suites, re:
> #FREAK attack.
What they don't mention is that SMTP of TLS is almost universally
just opportunistic unauthenticated TLS, and thus vulnerable to
active attacks that are *much* cheaper than FREAK.
FREAK only matters in SMTP when the client is actually authenticating
the server. Thus only for bilaterally negotiated secure channels
(security levels of fingerprint, verify or secure) or when DANE
TLSA records are published for the server and the client supports
and enables DANE.
--
Viktor.
