On Wed, May 4, 2022 at 4:20 PM Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote:
On 5/4/22 15:03, John Levine wrote:
How much do we think 'transmitted in cleartext' exists anymore?TLS is still negotiated on a per-hop basis, and STARTTLS is subject to downgrading attacks from well-placed intermediaries.Only for domains that don't support MTA-STS or DANE TLSA.Fair point but I wonder how much it actually matters in practice. I suppose setting up a "well-placed intermediary" is somewhat easier if you don't need an insider to give you access to the cleartext emails. But having emails stored in cleartext on relaying SMTP servers still seems like a big vulnerability in today's world.
I imagine that the bulk of mail sent/delivered is:
1) between large mail providers (hotmail, gmail, etc)
1) between large mail providers (hotmail, gmail, etc)
2) business-to-business
The 1st is certainly not (after a few well publicized incidents) storing plaintext on disk for folk to read...
The second almost all use a form of 'exchange' that .. also doesn't store plain text on disk...
(and really the 2nd is subject to the employer/business having the remit to review anyway...)
