Dmitry Alexandrov <[email protected]> writes: >> Are you using TLS for SMTP/IMAP? >> >> If not, set up TLS and start your analysis over :-) (Seriously, not >> having TLS and being even a little bit concerned about security do not >> go together.) > > He apparently uses opportunistic encryption (STARTTLS) for some > reason. In such a case a paranoid default behaviour of a server might > be understandable (yet not tolerable, if is not optional).
I think it's necessary to separate: 1) connect and just be unencrypted 2) connect, try STARTTLS, and continue on success or failure 3) connect, try STARTTLS, and disconnect on failure 4) connect via forced-on TLS (a la https) I don't see that 3 is worse than 4. 1 is obviously bad, and 2 should give confidentiality from eavesdroppers but fails with active attackers. However, a typical wifi has an active attacker called a captive portal. >>> I only ask as there are times whilst out and about, that K9 will >>> synchronise email accounts irrespective of the connection. > > It actually should not. It used to have an option to perform an > encryption in a truly opportunistic way, but it was removed years ago > (cf. daea7f1ec). What version do you use? I think he means "connect over TLS and sync". > Anyway, you really do not want to use STARTTLS instead of full-plate > TLS, if your server supports it (if they are so concerned about > security, they ought to). Why, if the client (or server) disconnects if TLS is not negotiated? >> Are you using a VPN? If not, would it help with the above security >> concerns? > > Would not it be rather superfluous here? It depends on the security concerns. If the issue is reveling that you wnat to connect to your personal IMAP server, because that lets the wifi operator track your presence, then a VPN (not to your server :-) might help. That's why I asked, or meant to ask, what the threat model and security concerns were. -- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
