On 2022-08-03 at 13:37:56 UTC-0400 (Wed, 03 Aug 2022 12:37:56 -0500) Jarland Donnell via mailop <jarl...@mxroute.com> is rumored to have said:
>> If you must divulge your SSN over the phone (for reasons) do you just > blurt it out at normal volume indifferent to who is around? Or do you > walk to a secluded corner of the room and cup your hand around the > mouth piece? Even questionable security is better than no security in > many cases. > > No, it isn't. It isn't security at all. If you call someone and tell them you > need their SSN and they ask "Is this a secure line?" If it's not, you're > supposed to say "No." You're not supposed to say "This is a secure line" and > leave unstated the subtext of "If you didn't do your research to know why > this isn't a secure line, it's your problem." It's on you when you say "Yes" > to "Is this secure?" when it isn't secure. But that's not at issue with allowing TLS 1.0 and 1.1 in SMTP. Clients aren't "told" a session is "secure," they *negotiate* a session's specific security features in a deterministic manner. Presumably a client that can't do TLS 1.2 or 1.3 has no expectation of any better security than they can get with whatever TLS versions they can do. If you believe that either of those older versions of TLS is as vulnerable as plain text, please specify why. As far as I am aware, the only problems with them are inclusion of some weak (but not trivially so) ciphers by default and attacks that can't work against a typical SMTP server. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
