SSL/TLS and port 587

[sjk]

Ed Gerck wrote:
> List,
> 
> I would like to address and request comments on the use of SSL/TLS and 
> port 587 for email security.
> 
> The often expressed idea that SSL/TLS and port 587 are somehow able to 
> prevent warrantless wiretapping and so on, or protect any private 
> communications, is IMO simply not supported by facts.
> 
> Warrantless wiretapping and so on, and private communications 
> eavesdropping are done more efficiently and covertly directly at the 
> ISPs (hence the name "warrantless wiretapping"), where SSL/TLS 
> protection does NOT apply. There is a security gap at every negotiated 
> SSL/TLS session.
> 
> It is misleading to claim that port 587 solves the security problem of 
> email eavesdropping, and gives people a false sense of security. It is 
> worse than using a 56-bit DES key -- the email is in plaintext where it 
> is most vulnerable.

Perhaps you'd like to expand upon this a bit. I am a bit confused by 
your assertion. tcp/587 is the standard authenticated submission port, 
while tcp/465 is the normal smtp/ssl port - of course one could run any 
mix of one or the other on either port. Are you suggesting that some 
postmasters/admins are claiming that their Submission ports are encrypted?

-- 

sjk at cupacoffee.net
fingerprint: 1024D/89420B8E 2001-09-16

No one can understand the truth until
he drinks of coffee's frothy goodness.
~~Sheik Abd-al-Kadir

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com