On Fri, Jul 19, 2002 at 02:40:16PM -0400, Owen, Greg wrote: | > I saw this behavior in Norton AV 2000. After searching their | > web site, I found the information saying that they just plain | > don't support SSL encrypted email. You have to pick, auto-scan | > AV, or encrypted session. | | I ran into this bug (yes, I'll call it a bug) in Norton a few | months ago. I can only say that there is a special circle in hell | reserved for companies which _silently_ disable security measures in | order to let their product carry out a procedure (especially a redundant | procedure). | | While we're on STARTTLS issues, another security issue people | should be aware of is that mail clients (I've seen this on OE, but I'm | betting it is pretty common) only use SSL for encryption, not | authentication. In other words, if you just happen to be in a hotel | with one of those ethernet devices, and the hotel ISP happens to | silently redirect port 25 to their own SMTP relay, and their SMTP relay | supports STARTTLS with a valid certificate, then your mail client will | very happily transmit your SMTP AUTH credentials to their server, | thinking it is your own that it is talking to. This one bit me at SANS | Orlando 2002 (Thank you, Marriot...) So if the Marriot can do this, why can't Norton? It seems to be the perfect solution; encrypt to the AV product, which is doing a MITM attack, and then from the AV product to your mail server. Which of course will make figuring out what the cert on the far end is *even trickier*, but hey, its a small price to pay for anti-eavesdropping. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
