SSL/TLS and port 587

[Bodo Moeller]

On Jan 22, 2008 10:38 AM, Ed Gerck <edgerck at nma.com> wrote:

> I would like to address and request comments on the use of SSL/TLS and port 587 for email security.
>
> The often expressed idea that SSL/TLS and port 587 are somehow able to prevent warrantless wiretapping and so on, or protect any private communications, is IMO simply not supported by facts.
>
> Warrantless wiretapping and so on, and private communications eavesdropping are done more efficiently and covertly directly at the ISPs (hence the name "warrantless wiretapping"), where SSL/TLS protection does NOT apply. There is a security gap at every negotiated SSL/TLS session.
>
> It is misleading to claim that port 587 solves the security problem of email eavesdropping, and gives people a false sense of security. It is worse than using a 56-bit DES key -- the email is in plaintext where it is most vulnerable.

You don't take into account the many users these days who use wireless
Internet access from their laptop computers, typically essentially
broadcasting all network data to whoever is sufficiently close and
sufficiently nosy.  Of course using SSL/TLS for e-mail security does
not *solve* the problem of e-mail eavesdropping (unless special care
is taken within a closed group of users), but it certainly plays an
important role in countering eavesdropping in some relevant scenarios.

Bodo

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com