Brandon Long wrote: > > > On Mon, Jun 29, 2015 at 1:48 PM, Michelle Sullivan <[email protected] > <mailto:[email protected]>> wrote: > > > Thoughts/comments welcome. > > > Sure, there's a bit of political or privacy argument involved here, > that some people think "why does this need to be encrypted". There > does seem to be a shift, however, to encrypting by default. The > Mozilla blog post has a bunch of pointers in it for reasons and calls > to encrypt by default: > > https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ > HTTP and not SMTP I can understand. SMTP because of the protocol you *cannot* encrypt end to end (unless the standard is amended and adopted.)
> I don't expect to convince folks of that in this forum, nor to > downplay the costs of doing this, and the challenges for interoperability. Interoperability is an issue for me, rather than cost and challenges. Encrypting email transport (particularly with TLS) is an extension of the protocol for increasing interoperability by giving the option of encrypting the transport layer. What is being suggested is that it is forced, which will impact the interoperability of the protocol without necessarily gaining anything.... Man-in-the-middle is almost built into the protocol by default... just get someone to setup a server as the destination hop, accept encrypted email (DH=4096 for good measure) then forward plain text ... oops man-in-the-middle and whilst we (here on this list) know the difference you think man in the street will not blame who sent and/or received the email ignoring anything that happened in the street? They already blame the banks for not enough security when they answer a phish and give out their login details FFS! :P > > That said, so far today, only 0.015% of our outbound messages that > were over an encrypted link were using SSLv3. At our volume, that's > not nothing, unfortunately, but it's a pretty small amount to allow to > continue to allow the possibility of breaking the rest. TLSv1 is > still about 5%, way too high to deprecate at this point. > > Inbound is 0.1% at SSLv3, 37% at TLSv1. So +60% is unencrypted inbound... because it has to be or because it is not forced otherwise... that is the burning question. You policy Encrypted or nothing and it'll be interesting how many cope and how many don't... Michelle -- Michelle Sullivan http://www.mhix.org/ _______________________________________________ mailop mailing list [email protected] http://chilli.nosignal.org/mailman/listinfo/mailop
