Frank Hecker wrote: > Probably relatively small. I suspect that most usage of IMAP/SMTP over > SSL is by small sites like mine that are cost-conscious and thus aren't > using commercial CAs. People doing IMAP/SMTP over internal networks > (e.g., your typical corporation) don't necessarily see the use of SSL as > necessary, and even if major ISPs do support IMAP/SMTP over SSL (and I > think many don't) I suspect they would account for only a few certs > compared to the number of certs for web sites.
Before making that leap lets put things a little more into perspective here, and of course you do realise how relatively few website certificates there really are in the whole scheme of things right? approx 100mil websites... or 20mill web servers and only 87,000 valid certificates... http://www.securityspace.com/s_survey/sdata/200501/certca.html less then 0.1%... Unfortunately I can't find anywhere that does stats on other protocols with/without encryption... > In particular, we might want to consider different security requirements > for the HTTP/SSL case vs. the IMAP/SMTP/LDAP over SSL case (e.g., I > suspect phishing is not that relevant for the latter case), but we're > forced to treat these two cases the same because they *are* the same as > far as both the CAs and the implementations are concerned. Gotta split the security model up into more then just on or off... > But one could make a counter-argument that this is no big deal: The ISP > already has to have the end user configure a bunch of ISP-specific stuff > (e.g., domain name for IMAP server and SMTP server, checkbox for > enabling SSL for those protocols, userid and password for IMAP and > authenticated SMTP, etc.), so adding configuration of an ISP-specific > root CA cert or server cert is not necessarily a big deal. (This is what > I did for the private site I administer -- created a private CA.) Should have used CAcert :) > However I think people (including sysadmins) are so crypto-shy that > people see this as a very big deal indeed. I for one am amazed that > otherwise-intelligent sysadmins make elementary mistakes like reusing > server keys and certs for multiple SSL-enabled servers in a company, so > people have to click through warning dialogs just to use basic services. > Even many security-knowledgeable IT professionals seem to turn their > brains off when it comes to crypto-enabled applications. Most sysadmins tend to be over worked etc, and coming from that background I would have done the same thing once as well, it reduces the amount of work, and as you pointed out SMTP/IMAP/POP3 isn't exactly high priority in terms of preventing exploits etc... Not to mention the whole SSL thing is full of marketing which only confuses the situation much worst... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
