[Cryptography] Facebook on the state of STARTTLS
Hanno Böck
hanno at hboeck.de
Tue May 20 16:12:12 EDT 2014
On Tue, 20 May 2014 10:38:24 -0700 (PDT)
"Joe St Sauver" <joe at oregon.uoregon.edu> wrote:
> #Could you explain why CA certs are futile for SMTP? It's not
> immediately #obvious to me. (I'm new to STARTTLS, have never
> configured it.)
If you configure your mail server to not deliver mails to servers with
an untrusted cert many of your mails won't be delivered at all (or you
deliver them without TLS).
Nobody would want to do that, because everyone wants email to stay
usable. Nobody will use an email service that can't send mail to 80% of
the rest of the internet.
So basically everyone just accepts every cert. The only way out would
be either some kind of certificate pinning or some other way to enforce
certificat checking like DANE. But as it stands now: A self-signed cert
is as good as every other cert.
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140520/b2cfe7c8/attachment.pgp>
More information about the cryptography
mailing list