On Jul 30, 2015 1:15 PM, "Viktor Dukhovni" <[email protected]> wrote: > > I don't know of a similar approach for > > any mail protocol. People have suggested delaying e-mail from hosts that > > offer weak security. But in the end that's not a good solution - it only > > results in losing or annoying customers for providers that actively do > > this for penalizing.. > > That would be counter-productive (even foolish). Cleartext is > weaker still. The right thing to do is evangelize stronger security, > and encourage upgrades, so that once the weak options are inessential, > they can be dropped. This takes longer than in the browser space, > but that's to be expected. On the other hand 80% of Google's > outbound email is TLS encrypted. What do you think the ratio > of HTTPS to HTTP is?
Agreed, although I would add "Name & Shame" to "Evangelize". Especially when one considers how much of corporate mail is hosted by third party services - those services have a particular business interest in staying up-to-date, lest their customers see them as being lackadaisical. The email security tools that I'm aware of (Email Privacy Tester, checktls) are great. But they need to slap a grade on it[0] and make it even more friendly to use. Then we need to promote it like we have promoted SSLLabs. -tom [0] Unlike SSLLabs, the grade should not ding them for supporting weak ciphers (like RC4) unless they actually prefer those ciphers. It should have the correct context for email.
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
