[Users] [Bug 4103] TLS SNI (Server Name Indication) support for IMAP, POP & SMTP

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Wed Dec 19 22:45:10 CET 2018


--- Comment #2 from Alex Smith <alex.clawsmail at madalex.me.uk> ---
(In reply to comment #1)
> However, I am wondering whether using SNI unconditionally is a good idea
> from security point of view

No, I was always planning to make it optional in the proper patch. The
experimental patch I attached was very much the bare minimum necessary to allow
people to test and provide feedback as to whether the low-level changes work or

I'm thinking of adding a check box to the SSL/TLS page of the account settings
window so that SNI can be enabled only on those accounts that need it, or at
least, can be disabled on accounts that don't need it.

I'm leaning towards making it on by default on the following grounds:

- The privacy / security implications of the name being transmitted in the
clear are most relevant where SNI *is* needed; typically if it isn't needed
then the destination IP address uniquely maps to a single domain name anyway
and hence the information can typically be obtained regardless.
- Those who know that SNI is not needed and who care about hiding which domain
name the connection is for are reasonably likely to have the knowledge and
experience required to find and turn off the option.
- Some widely used services like gmail require it so those who will need it and
will want things to "Just Work(tm)" without much effort may be the majority.
- A future TLS version is likely to fill the known hole in SNI so at some point
the concern may well go away of its own accord.

Arguments to the contrary welcome!

You are receiving this mail because:
You are the assignee for the bug.

More information about the Users mailing list