[Users] PGP in claws

Kevin Chadwick m8il1ists at gmail.com
Sat Apr 4 18:42:26 CEST 2015


On Fri, 03 Apr 2015 09:57:09 +0200
Adam Burns wrote:

> It seems a large 
> proportion of MTA's use self-signed X.509 certificates and because of that 
> most connecting MTA's do not check certificate chains (or even attempt 
> certificate stapling), making MITM compromises relatively easy.

This because is false. It wasn't long ago that STARTTLS wasn't
supported at all by microsoft and Yahoo despite offering SSL to pop3
clients (rediculous right, marketing I guess). STARTTLS can be
downgraded so actually there is a strong argument that signed
certificates really just offer a false sense of security and so I used
to refuse to use them. Having said that some servers are beginning to
track certificates so there is more argument for them though DANE and
DNSSEC may mean self signed are just fine and more secure than
certificate tracking. Of course servers may start or maybe are doing
dumb things like aborting on self-signed or doing dumb reputation
analysis, so perhaps it's best to use a CA signed in any case.

There is also an argument that passive TCP MITM is easier than
active and so STARTTLS is more beneficial that it may seem.



More information about the Users mailing list