[Cryptography] Certificates and PKI

Viktor Dukhovni cryptography at dukhovni.org
Sat Dec 27 00:52:59 EST 2014

On Fri, Dec 26, 2014 at 12:03:04AM -0700, Tony Arcieri wrote:

> I was a fan of opportunistic encryption for awhile, but after seeing this,
> it started to seem pretty silly to me:
> https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

Storm in a teacup, that makes for well intentioned, but transparent

> So FUD about CAs aside, without some form of authentication, ISPs (or
> anyone with a privileged network position) can and *are* automatically and
> trivially stripping opportunistic encryption, rendering it effectively
> useless.

All evidence to the contrary notwithstanding in that the vast bulk
of opportunistically encrypted MTA to MTA traffic is unimpeded,
and the fraction encrypted has gone up substantially.

Cleartext is not more secure than opportunistic TLS, which is
intended to protect the bulk of communications, not individual
sessions.  To harden any specific session against MiTM indeed
authentication is required.


More information about the cryptography mailing list