On Fri, Apr 15, 2016 at 4:20 AM, Philip Whitehouse <[email protected]> wrote:
> The problem with dialogs in all cases, for example for SSLv3 is that > downgrade attacks are perfectly practical. If an attacker intercepts the > requests and claims not to support the secure protocols so the user > downgrades their connection to insecure protocols which can be broken. > This is that security = availability thing :) I don't want to enable that > possibility to fix one or two users issues. > You have a point here. Off-hand I don't have an opinion either way. Unusable crypto doesn't get used, on the other hand there's no point to use crypto that doesn't protect... > Look, today's DEFCON speech by Moxie is tommorow's weaponised Metasploit > module and Monday's tool for controlling partners to monitor their spouse. > This is how it works. If SSLv3 hadn't been outlawed by every browser and > every server it would be part of this sort of thing by now. > Yes, a very good point. > As a developer I don't know the value of the email people write. Given > until we started the work PGP/MIME was our most requested feature and > S/MIME is fairly high on the list and we're mentioned these days as a > recommended client by the Debian user list but not the Guardian I tend to > think our audience has a technical focus. > Actually, lack of S/MIME is my biggest pet peeve with K-9. Ideally, it would support a hardware token (e.g., PIV) for S/MIME just like it does with OpenKeychain for PGP/MIME. But since I'm unable to contribute working code to do that now, I can't complain too loudly... :-( > Given its still inordinately difficult to report bugs and yet we have > hundreds of the things I reckon we're not currently aimed at mass market. > > That's not to say we shouldn't be trying to get there but for now I assume > our audience is pretty security conscious. > Off-hand, can't comment. Don't know. > >...Those giants deploy > >security mechanisms they think would serve their purposes, which may or > >may not be aligned with yours (or mine). If you think they would listen > >to your demands and adjust accordingly - without being insulting, my > >experience proves different. > > Which is why we actively support as many large providers as possible. > There's an open issue to support XOAuth 2.0 which is only used by Gmail to > improve user experience. It's also why I framed my response as I did. If he > was on a random ISP email system I'd have not bothered trying to get him to > persuade them to fix it. I'd have made the point it was less secure and > then just said we'll fix it. > I'd love to see U2F supported. No opinion on XOAuth 2.0 yet. > This LogJam issue isn't an issue with any major provider. To my knowledge > it's only been found by people on self hosting (I know of one or two other > cases having searched for the error). > If true - things aren't so bad! > That's s why the bar for doing something is at this place. > :-) > >> I'm aiming for a certain level of inconvenience to help the user > >basically. > > > >If software implementation prevents the user from connecting to the > >email server he uses, how does it help him? In your world perhaps that > >user can call the owner of that server (for example, Google) and say > >“your server does not allow the kind of security my software wants - so > >fix it or I’m taking my free email elsewhere”. In my world that > >approach didn’t seem to work. > > Which is why I plan to fix this specific case. Unable to use the system > isn't okay, making them check a few boxes seems about right. > :-) 100% agree. > >First, it is not as easy to decrypt (even SSLv3, which we all agree is > >hopelessly broken and shouldn’t be used unless the only other > >alternative is plaintext) as it is to sniff...... > > I covered this above with regard to availability of tooling vs deployment > of weaker software.... > Yep, point well-taken. > >> In this specific case he is his own provider so I felt it was worth > >making the point. > > > >In this specific case you’re 100% correct. > > > >The problem I see is that people are trying to make this point > >“globally”, and usually it is not applicable. Not many of us are our > >own providers. > > Which is fortunate really because major providers are actually doing > fairly well here. > Well, in this particular issue - probably yes. But you wouldn't believe the amount of problems I'm having with (some of) major providers security-wise. Oh well... ;-) -- Regards, Mouse -- -- You received this message because you are subscribed to the K-9 Mail Users List. To post to this group, send email to [email protected] To unsubscribe, email [email protected] To report an issue with K-9 Mail, visit http://code.google.com/p/k9mail/issues/list For more options, visit this group at http://groups.google.com/group/k-9-mail --- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
