Reiner Steib <[EMAIL PROTECTED]> writes: > Would it make sense to prefer gnutls-cli and warn when using starttls > (if gnutls-cli is not installed)?
Possibly, yes. Note that emacs22 (the version in debian testing) supports both starttls and gnutls-cli, so the comment made earlier that removing the starttls package will break imaps/pop3s connections from emacs based muas is false. >> "This software does not have any authentication capabilities: it does >> not allow you to authenticate your peer, which is a basic requirement >> for TLS/SSL to be used securely. You should only use it for testing >> purposes and not relaying important information. Be aware that you are >> vulnerable to MITM when using it" That seems correct to me. Note that even if you use gnutls-cli, you need to configure it to use appropriate trust anchors to get full security. If you don't, I believe gnutls-cli is still superior to starttls though, since gnutls-cli verify that the server hostname match the hostname in the certificate. /Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
