> I saw this behavior in Norton AV 2000. After searching their > web site, I found the information saying that they just plain > don't support SSL encrypted email. You have to pick, auto-scan > AV, or encrypted session. I ran into this bug (yes, I'll call it a bug) in Norton a few months ago. I can only say that there is a special circle in hell reserved for companies which _silently_ disable security measures in order to let their product carry out a procedure (especially a redundant procedure). While we're on STARTTLS issues, another security issue people should be aware of is that mail clients (I've seen this on OE, but I'm betting it is pretty common) only use SSL for encryption, not authentication. In other words, if you just happen to be in a hotel with one of those ethernet devices, and the hotel ISP happens to silently redirect port 25 to their own SMTP relay, and their SMTP relay supports STARTTLS with a valid certificate, then your mail client will very happily transmit your SMTP AUTH credentials to their server, thinking it is your own that it is talking to. This one bit me at SANS Orlando 2002 (Thank you, Marriot...) -- gowen -- Greg Owen -- greg_owen@vibren.com Senior Network Engineer, Network Solutions Group Vibren Technologies, Inc.
