[Cryptography] STARTTLS, was IAB Statement on Internet Confidentiality

[lists at notatla.org.uk]

Tom Ritter <tom ritter.vg>

> But then why didn't Cricket do what Comcast does, and just block it,
> instead of doing this super-sketchy 'Let's just remove the crypto and
> inspect the user's data' approach?  Or, what I think is a fairly
> reasonable tactic that some ISPs do on consumer home ISPs, and block
> ports but let you opt-out in your user account.  (I had an ISP that
> blocked 80 and 25, and two checkboxes to immediately undo it.)

If the ISP transparently redirects outbound mail to their own
mailserver then the TLS mail will fail for lacking the right
key.  I saw an example of this in 2005.  Killing the STARTTLS
makes it work in store-and-forward fashion.

I agree that to serve the customer the ISP should do what's been
agreed and not spring surprises.  Perhaps the ISP judged that
for most users working with missing encryption was less surprising
than getting a message they'd need help understanding.