Linked by Thom Holwerda on Thu 12th Apr 2012 08:59 UTC
Internet & Networking I would honestly serve at the altar of the person that did this. Keep the debugging information, but for the love of god, make your email client do something pretty and useful with it.
Thread beginning with comment 514276
To view parent comment, click here.
To read all comments associated with this story, please click here.
saso
Member since:
2007-04-18

I know it is - I was arguing in favour of encryption the whole time *facepalm*

In replying to my argument against using TLS on server-to-server SMTP, you proposed to "encrypt as standard at the protocol level". Which protocol? What level? As you didn't point that out, I quite naturally assumed you were talking about TLS or SMTP encryption of some other sort.

That plainly does nothing. The encryption endpoints (i.e. mail servers) don't care about confidentiality or security. SMTP cares nothing, I repeat, nothing about the format, structure and contents of the mail messages it carries, it's really just a plain-text message exchange protocol. SMTP != MIME. So before you facepalm, please consider your words somewhat more carefully.

I'm aware of that, but even just TLS is a huge step up from where we currently are.

How exactly? What kind of problems does it solve and how does it achieve that? "Encrypt everything" is a cute mantra, but pointless encryption that doesn't solve any real problem is just a waste of (human and machine) resources.

However I wasn't saying the encryption method had to be TLS, I just said it should be a requirement in the protocol / specification rather than an addon provided by the client.

Again, SMTP != MIME.

At least with enforced TLS, it means that even lazy developers are forced to encrypt communications and it prevents any interception.

How does it prevent interception? All I need to do, as an attacker, is either get access to any of the mail servers in transfer (easy to do if you're the government or other powerful entity), or simply mandate that all e-mail from my network go through my SMTP servers. (There's also other possibilities, like MITM somebody by inserting false MX records, etc.)

It "just" doesn't account for hacked mail relays.

You don't have to hack a relay to get into the e-mail relay chain. All you need to do is control the relay in a totally legitimate way. This is common practice in corporate, campus and even service provider networks - they prevent SMTP out and only allow you to go through their servers. Again, this is common practice and legitimate, so any argumentation of the sort "well simply change providers then" would be nonsensical.

Reply Parent Score: 1