SSL/TLS and port 587

Ed Gerck edgerck at nma.com
Wed Jan 23 00:49:32 EST 2008 

Paul Hoffman wrote:
> At 10:38 AM -0800 1/22/08, Ed Gerck wrote:
>> The often expressed idea that SSL/TLS and port 587 are somehow able to 
>> prevent warrantless wiretapping and so on, or protect any private 
>> communications, is IMO simply not supported by facts.
> 
> Can you point to some sources of this "often expressed idea"? It seems 
> like a pretty flimsy straw man.

It is common with those who think that the threat model is
"traversing the public Internet". As I commented in the
second paragraph, an attack at the ISP (where SSL/TLS is
of no help) has been the dominant threat -- and that is
why one of the main problems is called "warrantless
wiretapping". Further, because US law does /not/ protect
data at rest, anyone claiming "authorized process" (which
the ISP itself may) can eavesdrop without any required
formality.

For examples on claiming that SSL/TLS can protect email
privacy, see the commercial email security product by
www.postini.com (now with google):

"Postini’s Encryption Manager Policy-Enforced TLS has successfully
met SEI’s email security needs, protecting communications where they
are most vulnerable — traversing the public Internet. [sic]".
in http://www.postini.com/customers/SEI_0929.pdf

In another page at postini.com, we can read: "With TLS,
we will be able to securely send and receive confidential
documents with our clients who support TLS." While this
part is 100% correct, it is not relevant for the security
of those documents, as they sit in plaintext at the ISPs.

Also, in the current thread on Comcast blocking port 25 at Farber's
IP list, and in previous threads here, using TLS/SSL has been promoted
to help "cease to become low hanging fruit for reading or public
dissemination", and to prevent a "private contractor's (ISP) misuse or
loss/exposure of your data". However, having a port 587 TLS connection
to my ISP (eg, gmail) is not going to make my email more or less
protected at that ISP, and is not going to prevent wiretapping.

Of course, SSL/TLS is very successful in e-commerce. But SSL/TLS is
not an email authentication and encryption solution, and fails for
email where the risk is higher.

Cheers,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list