On 10/16/2013 03:28 PM, Stephen Kent wrote: > Stephen, > > Just commenting on one of your comments ... >> ... >>> What is this "cleartext IMAP" of which you speak? >> I guess that's a fair comment - we don't know that they're >> able gather to inbox data via IMAP due to it being sent in >> clear, however that seems like a reasonable guess based >> on the newspaper story which says that collection is done >> by telcos that are "overseas" and assuming that TLS is not >> busted for these services. > Based only on the story that you cited, and your observation about > telcos being the sources of the info, might it be the case that the > telcos were also the mail providers? I'm not sure how to interpret > the slides the the cite story included. That sort of explanation > would be consistent with Ned's observations about commercial provider > use of SSL to protect IMAP/POP access.
That could be but I guess we're not likely to be told;-) I did take a peek to see if I could figure out if there're lots of services running on 143 without STARTTLS but haven't found anything that answers that question. I did find this [1] (no idea how accurate though) which says their survey found 4.7M listeners on 143, but there's no info about how many have a usable STARTTLS config. With that number of services, I guess collecting O(10^5) "inboxes" per day in plaintext could be credible, but who knows. But, nonetheless I think the question about 3-flavours of IMAP and MTI is still worth thinking about. S [1] http://www.openemailsurvey.org/imap-143.html _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
