[Cryptography] IAB Statement on Internet Confidentiality

[Abe Singer]

On Tue, Nov 18, 2014 at 03:24:53PM -0000, John Levine wrote:
> 
> These were mobile networks with consumer users, not backbones with
> fixed MTAs.  The ony mail software you find on mobile consumer
> networks is MUAs, which are doing submission, not SMTP.  These days,

Um, not SMTP? Then what protocol does the MUA use for submission?

> any MUA that is submitting over port 25 rather than 465 or 587 is
> misconfigured.  I don't know about your mobile device, but on my

For certain values of "misconfigured."  Some sites may need to support
older MUAs that use port 25 by default.  That's sometimes known as
"legacy support."


> Android devices, if it's configuted to do STARTTLS on whatever port
> and that fails, the device complains since that would force it to send
> passwords in the clear.

> 
> What they did was clumsy, but it has a perfectly reasonable motivation
> -- stopping spam that would otherwise gush out of botted devices (and
> yes, there are plenty of botted mobile devices, particularly in Asia
> where it's much more common to install software from random places
> rather than the Google or Apple store.)

So what am I missing here? if a device is botted, it doesn't matter
whether the submission port is 25 or 587; The attacker can use the
credentials stored on the device, and send spam via either port.  So why
is it okay for the ISP to break TLS on port 25 and not on port 587?

And if the user has valid credentials to send mail via the remote MSA,
what business is it of the ISP to decide whether or not it's spam?
It's between the user and the MSA.

While the ISPs intentions may have been noble (and I'm not convinced)
there are all kinds of ways that ISPs *could* combat nefarious
activity that are neither appropriate nor legal.

  To paraphrase
Jurassic Park, just because they can do it doesn't mean they
should do it.