SSL/TLS and port 587
sjk
sjk at cupacoffee.net
Wed Jan 23 00:31:57 EST 2008
Ed Gerck wrote:
> List,
>
> I would like to address and request comments on the use of SSL/TLS and
> port 587 for email security.
>
> The often expressed idea that SSL/TLS and port 587 are somehow able to
> prevent warrantless wiretapping and so on, or protect any private
> communications, is IMO simply not supported by facts.
>
> Warrantless wiretapping and so on, and private communications
> eavesdropping are done more efficiently and covertly directly at the
> ISPs (hence the name "warrantless wiretapping"), where SSL/TLS
> protection does NOT apply. There is a security gap at every negotiated
> SSL/TLS session.
>
> It is misleading to claim that port 587 solves the security problem of
> email eavesdropping, and gives people a false sense of security. It is
> worse than using a 56-bit DES key -- the email is in plaintext where it
> is most vulnerable.
Perhaps you'd like to expand upon this a bit. I am a bit confused by
your assertion. tcp/587 is the standard authenticated submission port,
while tcp/465 is the normal smtp/ssl port - of course one could run any
mix of one or the other on either port. Are you suggesting that some
postmasters/admins are claiming that their Submission ports are encrypted?
--
sjk at cupacoffee.net
fingerprint: 1024D/89420B8E 2001-09-16
No one can understand the truth until
he drinks of coffee's frothy goodness.
~~Sheik Abd-al-Kadir
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list