> On 11 May 2016, at 22:20, John R Levine <[email protected]> wrote: > Um, port25 has nice tee shirts but it isn't open source.
I never said it was? I'm aware it's a closed-source product. And it's quite good - I've been using it extensively in the past. Though their devs. were very cooperative and reversing *would* have been easy given we got debug symbols for their binaries,.. :x BTW: Your book on linkers & loaders is among my most valued literature for debugging. > >> Because nobody cares to MITM DMARC reports, at least I wouldn't. > > We really need a threat model beyond "someone might be spying on me." Sorry, but I completely disagree. Because "someone" *is* spying on all of us! It's called full-take and they do it in real-time. Have you been reading the news since June 2013? > If you look at the MITM paper by Durumeric et al., particularly tables 12 and > 15, it looks like overall the biggest cause of STARTTLS failures was > corporate firewalls, and beyond that there are some places wwhere it looks > like the ISPs MITM some or all of the mail traffic, notably Tunisia. I can > only guess what they're looking for, but it seems kind of a stretch the think > they'd be looking for reports with XML or JSON attachments. Transmission-failure data in this paper is entirely based on a GMail-only data-set as far as I can tell (please correct me if I'm wrong) and was accompanied by scanning results. Ralph Holz and we did some as well (full TLS enumeration in our case), if you're interested: - https://arxiv.org/abs/1511.00341 - https://arxiv.org/abs/1510.08646 To have a proper picture of world-wide traffic interception I'm strongly suggesting the feedback mechanism be extensible. If that's the case we can easily report detailed TLS failures, MITM attacks and operational failures back to decentralized monitoring services as well as recieving MTAs (who may also only be able to pick that up via a 3rd party). We currently have no conclusive picture in this domain. RIPE ATLAS is the best project I'm aware of, but they do not focus on e-mail. Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
