| One reason is that these e-mail access protocols are used in | enterprise environment where passive wiretapping often not | considered a viable attack. Internal to the enterprise net there | is usually a perception of adequate physical security.
I have discovered, in the last couple of months of investigation, to my disappointment and horror, that many many very large IT shops in the US that are doing telecoms between their various offices and datacenters, do not encrypt. Large telecoms users typically use MPLS or telco provided "dark fiber". Cleartext. No encryption. Not at the wireline layer, not at the packet layer, and not at the application layer. The statement I get back when I have been investigating this is has always been along the lines of "it's OUR glass" / "it's OUR circuit", "it makes doing packet tracing and intrusion detection harder" (that one makes me headdesk hard), "why should we be afraid of our telco partner?", and "just because Google is doing it doesn't mean it's useful to us". I am working hard to assume ignorance and pollyanna-ism, instead of malice and NSA-suborn-ism on the part of the CTOs and their security people. But anyway, that means that corporate use of Outlook & Exchange, Lync, SAML, Intranet HTTP, SIP, remote file stores, IMAP & SMTP, remote database access, remote backup, and internal customer and financial records are completely transparent to the NSA, and to most every other major spook agency in the world. The NSA probably has a better view into the second by second status of the health and wealth of the US and world economy than any of the financial regulators. ..m _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
