Re: SSL/TLS and port 587

2008-01-23 Thread sjk 

Ed Gerck wrote:

List,

I would like to address and request comments on the use of SSL/TLS and 
port 587 for email security.


The often expressed idea that SSL/TLS and port 587 are somehow able to 
prevent warrantless wiretapping and so on, or protect any private 
communications, is IMO simply not supported by facts.


Warrantless wiretapping and so on, and private communications 
eavesdropping are done more efficiently and covertly directly at the 
ISPs (hence the name warrantless wiretapping), where SSL/TLS 
protection does NOT apply. There is a security gap at every negotiated 
SSL/TLS session.


It is misleading to claim that port 587 solves the security problem of 
email eavesdropping, and gives people a false sense of security. It is 
worse than using a 56-bit DES key -- the email is in plaintext where it 
is most vulnerable.


Perhaps you'd like to expand upon this a bit. I am a bit confused by 
your assertion. tcp/587 is the standard authenticated submission port, 
while tcp/465 is the normal smtp/ssl port - of course one could run any 
mix of one or the other on either port. Are you suggesting that some 
postmasters/admins are claiming that their Submission ports are encrypted?


--

[EMAIL PROTECTED]
fingerprint: 1024D/89420B8E 2001-09-16

No one can understand the truth until
he drinks of coffee's frothy goodness.
~~Sheik Abd-al-Kadir

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: more reports of terrorist steganography

2007-08-20 Thread sjk 
Dave Korn wrote:

 
   That's gotta stand out like a statistical sore thumb.
 
 
   The article is pretty poor if you ask me.  It outlines three techniques for
 stealth: steganography, using a shared email account as a dead-letter box, and
 blocking or redirecting known IP addresses from a mail server.  Then all of a
 sudden, there's this conclusion ...
 
  Internet-based attacks are extremely popular with terrorist organizations
 because they are relatively cheap to perform, offer a high degree of
 anonymity, and can be tremendously effective. 
 
 ... that comes completely out of left-field and has nothing to do with
 anything the rest of the article mentioned.  I would conclude that someone's
 done ten minutes worth of web searching and dressed up a bunch of
 long-established facts as 'research', then slapped a The sky is falling!
 Hay-ulp, hay-ulp security dramaqueen ending on it and will now be busily
 pitching for government grants or contracts of some sort.

This struck me oddly as well. I cannot think of a single significant
Internet attack which has been traced to any terrorist organizations. I
would agree that this article seems to be designed to alarm rather than
inform, and, no doubt, pick up a government contract.

Additionally, the author seems to make a big deal about asymmetric
encryption without considering how key exchange is accomplished. The
logistics of key exchange remains one of the vulnerabilities any
asymmetric encryption system.


-- 
-
[EMAIL PROTECTED]
No one can understand the truth until
he drinks of coffee's frothy goodness.
~~Sheik Abd-al-Kadir

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]