On Thu, 14 Nov 2014, John Levine wrote:
https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks"In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag—called STARTTLS—from email traffic." Thanks to Viktor, properly configured postfix clients deployed with DANE should detect this and refuse to send the email unencrypted.This is an anti-spam measure on port 25 traffic on a few mobile networks.
With friends like these,.... It's time for opportunistic encryption to kick in against "helpful" rewriting of people's packets. This also fits in with today's human rights presentation at SAAG. This kind of downgrade attack would be candy for oppressive regimes.
I expect there aren't a lot of copies of Postfix running on mobile devices. For all those other mobile users, if they're configured correctly they're submitting over port 587 or 465, and nobody tries to filter that.
You are wrongly assuming all must clients relay via another location. (yes I know, you say reality, I say morality) Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
