[Cryptography] IAB Statement on Internet Confidentiality

John Levine johnl at iecc.com
Tue Nov 18 10:24:53 EST 2014

>However, if you limit it this way, opportunistic encryption has no way to tell you
>that it's been blocked.  If no one notices attacks, the step forward looks much less
>dramatic, no?

Am I really the only person here who is interested in what actually
happened, as opposed to what hypothetically might happen on some
non-existent network at some time in the unknown future?

These were mobile networks with consumer users, not backbones with
fixed MTAs.  The ony mail software you find on mobile consumer
networks is MUAs, which are doing submission, not SMTP.  These days,
any MUA that is submitting over port 25 rather than 465 or 587 is
misconfigured.  I don't know about your mobile device, but on my
Android devices, if it's configuted to do STARTTLS on whatever port
and that fails, the device complains since that would force it to send
passwords in the clear.

What they did was clumsy, but it has a perfectly reasonable motivation
-- stopping spam that would otherwise gush out of botted devices (and
yes, there are plenty of botted mobile devices, particularly in Asia
where it's much more common to install software from random places
rather than the Google or Apple store.)


More information about the cryptography mailing list