Linked by Thom Holwerda on Thu 12th Apr 2012 08:59 UTC
I would honestly serve at the altar of the person that did this. Keep the debugging information, but for the love of god, make your email client do something pretty and useful with it.
Thread beginning with comment 513870
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: This fixes nothing as e-mail itself needs a redesign
by Laurence on Thu 12th Apr 2012 16:17
in reply to "RE[3]: This fixes nothing as e-mail itself needs a redesign"
Member since:2007-03-26
TLS transmission on SMTP between mail servers really doesn't make much sense. What's the purpose of TLS? To add confidentiality and security. Mail servers don't care about that, the end users do. OpenPGP and S/MIME serve just this purpose and are in wide usage because of it.
It's analogous to paper mail. If I want to transmit confidential data, I sure as hell don't trust my mailman and the whole mail delivery chain to keep my secrets. I encrypt my messages at home and all I require the mail service to do is deliver them.
It's analogous to paper mail. If I want to transmit confidential data, I sure as hell don't trust my mailman and the whole mail delivery chain to keep my secrets. I encrypt my messages at home and all I require the mail service to do is deliver them.
The problem there is that confidential information is frequently transmitted via e-mail. In fact it's pretty standard for things like Passwords and user IDs to be sent this way. Let alone more confidential data sent by users who don't understand the protocol.
Furthermore, it would make a great deal more sense to encrypt as standard at the protocol level rather than add another layer of abstraction at the user level
RE[5]: This fixes nothing as e-mail itself needs a redesign
by zztaz on Thu 12th Apr 2012 17:05
in reply to "RE[4]: This fixes nothing as e-mail itself needs a redesign"
Member since:2006-09-16
You're both right, and you're both wrong.
Keeping messages confidential requires encryption at the endpoints. That means clients need to handle it. Servers are not involved. In my opinion, not only should clients make this easy, it really needs to be available for all files regardless of method of delivery. It doesn't matter if you e-mailed it to me, I downloaded it from a web site, or you gave me a thumb drive, we need some way to prove who we are and keep the file secret from everyone else.
TLS does have a role in e-mail, and it's not encryption. TLS provides authentication. Authentication is arguably the largest problem with e-mail. The original protocol simply trusted clients and servers not to lie about who they were, and that's why we have spam. If our servers only accept mail from servers authenticated with certificates, then blocking spam is easy.
RE[5]: This fixes nothing as e-mail itself needs a redesign
by saso on Thu 12th Apr 2012 21:05
in reply to "RE[4]: This fixes nothing as e-mail itself needs a redesign"
Member since:2007-04-18
The problem there is that confidential information is frequently transmitted via e-mail. In fact it's pretty standard for things like Passwords and user IDs to be sent this way. Let alone more confidential data sent by users who don't understand the protocol.
Yes, exactly my point! Why then would you trust your post boy (mail server) not to take a peek inside the envelope if it carries sensitive information? That's actually an argument *for* end-to-end encryption!
Furthermore, it would make a great deal more sense to encrypt as standard at the protocol level rather than add another layer of abstraction at the user level
Because TLS is necessarily two-way and hop-by-hop. You can't establish a TLS session via e-mail itself, the round-trip for salt exchange and other protocol setup would be just terrible. That's why we have things like S/MIME and PGP.
RE[4]: This fixes nothing as e-mail itself needs a redesign
by phoenix on Thu 12th Apr 2012 23:19
in reply to "RE[3]: This fixes nothing as e-mail itself needs a redesign"
Member since:2005-07-11
TLS transmission on SMTP between mail servers really doesn't make much sense. What's the purpose of TLS? To add confidentiality and security. Mail servers don't care about that, the end users do. OpenPGP and S/MIME serve just this purpose and are in wide usage because of it.
It's even worse in that encrypted SMTP connections only happen between SMTP clients and servers that support it. Meaning, your e-mail client may use TLS to connect to your SMTP server, and your SMTP server may use TLS to connect to the next SMTP server in the chain .. but there's no guarantee that the next SMTP server will support TLS .. meaning the message goes through unencrypted.
TLS, SASL, and other encryption/authentication methods are really only useful if you control *EVERY* SMTP client and server in the chain. Which really only makes it useful for remote workers connecting in to the corporate mail system to send internal mail.
It's analogous to paper mail. If I want to transmit confidential data, I sure as hell don't trust my mailman and the whole mail delivery chain to keep my secrets. I encrypt my messages at home and all I require the mail service to do is deliver them.
I like using the "postcard in an envelope" analogy when explaining e-mail to people. It really brings home the point that "anyone handling the message en-route can read it".
RE[5]: This fixes nothing as e-mail itself needs a redesign
by Soulbender on Fri 13th Apr 2012 03:41
in reply to "RE[4]: This fixes nothing as e-mail itself needs a redesign"
Member since:2005-08-18
It's even worse in that encrypted SMTP connections only happen between SMTP clients and servers that support it
Even worse, most servers default to accept any certificate from other servers regardless of expiration or validity. You will never know if someone does a MITM attack on your connections.
Server-to-server TLS is rather meaning less, really.
TLS, SASL, and other encryption/authentication methods are really only useful if you control *EVERY* SMTP client and server in the chain.
Not at all. TLS is essential for the confidentiality of your login credentials when you send and receive mail from the server.
Features
Linked by Thom Holwerda on 06/13/13 14:35 UTC
The third and final WWDC product I want to talk about is - of course - OS X 10.9 Mavericks. While iOS 7 was clearly the focus of this year's WWDC, its venerable desktop counterpart certainly wasn't left behind. Apple announced OS X 10.9 Mavericks, the first OS X release not to carry the name of a big cat.
Linked by Thom Holwerda on 06/11/13 17:07 UTC
We already talked about iOS 7 yesterday (after a night of sleep, it's only looking worse and worse - look at this, for Fiona's sake!), so now it's time to talk about the downright stunning and belly flutters-inducing new Mac Pro. As former owner and huge, huge, huge fan of the PowerMac G4 Cube - I haven't been this excited about an Apple product since, well, I would say the iMac G4. This is the Apple I used to love.
Linked by Thom Holwerda on 06/10/13 23:13 UTC
Apple held its big keynote event thing at WWDC earlier this evening, but since I was away with friends I've had to read up on it later in the evening. The company announced iOS 7, OS X 10.9 Mavericks, and they gave a preview of the new Mac Pro. Especially the Mac Pro impressed me, and while iOS 7's new Holo/Metro-inspired theme looks messy and garish to me, I do commend Apple for finally breaking the mold. This news item will focus on iOS 7 - I'll dive into the Mac Pro and OS X 10.9 tomorrow (it's late here now).
Linked by Thom Holwerda on 06/08/13 14:57 UTC
And yes, the PRISM scandal is far, far from over. More and more information keeps leaking out, and the more gets out, the worse it gets. The companies involved have sent out official statements - often by mouth of their CEOs - and what's interesting is that not only are these official statements eerily similar to each other, using the same terms clearly designed by lawyers, they also directly contradict new reports from The New York Times. So, who is lying?
Linked by Thom Holwerda on 06/07/13 11:40 UTC
This story is getting bigger and bigger. Even though most Americans probably already knew, it is now official: the United States government, through its National Security Agency, is collecting the communications and data of all American citizens, and of non-Americans using American services, through a wide collaboration with the large companies in technology, like Apple, Google, Microsoft, Facebook, and so on. Interestingly enough, the NSA itself, as well as the US government, have repeatedly and firmly denied this massive spying on Americans and non-Americans took place at all.
Linked by Thom Holwerda on 06/04/13 12:45 UTC
Ah, patents - the never-ending scourge of the technology industry. Whether wielded by companies who don't actually make any products, or large corporations who abuse them because they can't compete in the market place or because they're simply jerks, they do the industry a huge disservice and are simply plain dangerous. According to The Wall Street Journal (circumvention link), president Obama is about to take several executive actions to address patent trolls - which may seem like a good idea, but I am very worried that all this will do is strengthen the positions of notorious patent system abusers such as Apple and Microsoft.
Linked by nfeske on 05/31/13 10:12 UTC
With version 13.05, the developers of the Genode OS Framework take measures to ensure that Genode continues to scale well with a growing number of users and the steadily broadening platform coverage. Further highlights are the improved SoC support for Exynos 5, OMAP4, Raspberry Pi, i.MX, and new components for realizing headless systems.
Linked by Thom Holwerda on 05/29/13 16:59 UTC
At the D11 conference, Apple CEO Tim Cook once again took the stage to be interviewed by Walt Mossberg and Kara Swisher. While most of the interview can be replicated by picking and reading 10 random Apple fanblog stories - there were still a number of very interesting things that warrant some closer scrutiny.
Linked by Thom Holwerda on 05/24/13 17:26 UTC
So, the Xbox One disaster continues. Microsoft's policy for dealing with the used games market has reportedly leaked - and it's a clear and direct attack to destroy the used games market. Prices for used games will be set at the retail value of a new game, and retailers have to hook into Microsoft's computer systems and comply with Microsoft's terms and conditions.
Linked by Thom Holwerda on 05/21/13 21:38 UTC
At an event earlier today, Microsoft unveiled the next Xbox - the third model, but confusingly named Xbox One. The big focus was TV, integrated Kinect, and all the other stuff we all expected to be forced down our throats. I think it took them 25 minutes to actually come to what should be the core of the story: gaming. Nothing groundbreaking in the gaming department, except for how Microsoft intends to handle the used games market and borrowing games from friends: pay up, buddy!More Features »
Sponsored Links
Member since:
2007-04-18
TLS transmission on SMTP between mail servers really doesn't make much sense. What's the purpose of TLS? To add confidentiality and security. Mail servers don't care about that, the end users do. OpenPGP and S/MIME serve just this purpose and are in wide usage because of it.
It's analogous to paper mail. If I want to transmit confidential data, I sure as hell don't trust my mailman and the whole mail delivery chain to keep my secrets. I encrypt my messages at home and all I require the mail service to do is deliver them.