On 5/4/22 10:09, Christopher Morrow wrote:
TLS is still negotiated on a per-hop basis, and STARTTLS is subject to downgrading attacks from well-placed intermediaries.On Tue, May 3, 2022 at 10:51 PM Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote:
Of course, having email transmitted in cleartext creates lots of
nontrivial problems also. It's just that we regard those problems as
"normal", or pretend that they don't exist.
How much do we think 'transmitted in cleartext' exists anymore?Hadn't all of the large email vendors basically forced TLS on the smtp path ~4-5yrs back?
Hasn't imap (without TLS) been non-supported by pretty much everyone for ~10+yrs?
Is the problem you (and to some extent John) point out actually data-at-rest and not data-in-flight?
It's both, of course.
