On 5/4/22 15:03, John Levine wrote:
How much do we think 'transmitted in cleartext' exists anymore?TLS is still negotiated on a per-hop basis, and STARTTLS is subject to downgrading attacks from well-placed intermediaries.Only for domains that don't support MTA-STS or DANE TLSA.
Fair point but I wonder how much it actually matters in practice. I suppose setting up a "well-placed intermediary" is somewhat easier if you don't need an insider to give you access to the cleartext emails. But having emails stored in cleartext on relaying SMTP servers still seems like a big vulnerability in today's world.
Keith
