On Wed, Jan 5, 2022 at 11:00 PM Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote:
On 1/5/22 3:17 PM, Jim Fenton wrote:
> I should probably point out RFC 8689, “SMTP Require TLS Option”, that allows the sender of a message to require that it be sent via TLS. Unfortunately there isn’t any operational deployment of REQUIRETLS, perhaps in part because it requires deployment of DANE or MTA-STS to make it secure against MX record spoofing attacks and the like. Those attacks would also need to be considered when discussing anything involving public key discovery through an SMTP option or command.
Also I think there's widespread agreement that hop-by-hop encryption is
necessary but insufficient; we need message encryption also.
Whether there is 'widespread agreement' is irrelevant. The facts and the evidence prove that messages need to be encrypted end to end.
We spent the entire 2016 election with Trump's team attacking Clinton's handling of email. The director of the FBI despicably abused his office to join in that partisan attack. On and on and on.
Meanwhile, agents of the GRU and FSB hacked into the DNC and stole the Democrats campaign strategy off the mail server. These were passed to the Trump campaign and other emails were released through a Russian operative based in London.
These events are not disputable. They are facts. Email insecurity has changed the course of history and democracy in the US is still under threat as a result.
Oh and if people are allowed to demean and denigrate my work as 'tilting at windmills' without them being told they are out of line, I am going to feel free to make partisan political points. If it is ok to make personal attacks on other people in this group, I am going to feel free to tell the truth about authoritarians when it is relevant to my argument, which it is in this case.
Every one of the top 20 data breaches in history was a breach of data at rest. And there is a good reason for that: TLS has pretty much shut down attacks on data in transit. Data in transit is in any case the harder attack.
We have to protect data at rest. Of course, if we are dealing with government communications, there is going to have to be extraordinary access. Not least because you can't have a situation where nobody knows what the Secretary of State agreed to at a meeting because they keeled over with a heart attack etc. Fortunately, threshold allows those types of access to be supported with accountability controls in closed systems like a department or agency.
If we had done our job and secured data at rest, the entire 'but her emails' issue would have been irrelevant.
It is my belief that the entire reason that Clinton had that unauthorized server was that she didn't trust the GSA. And she was completely right not to. Security at the GSA is even more lax than at the NSA where a 29 year old contractor was the administrator of the key server that had the ability to decrypt every document. She couldn't say that was the reason of course because people would have ridiculed the notion that a GSA employee with access to the emails would have leaked them despite the fact there are multiple former federal employees in prison right now for doing just that.
And yes, as Victor points out, it is necessary to do the whole job and do it right. End-to-end encrypted mail must be exactly the same as regular email. An email encryption scheme that requires people to remember to click a button every time they send a message is not going to be used. Nor is a scheme where people can't read their messages on other devices or have to endure complex configuration.
