--On Wednesday, October 30, 2024 17:51 +0100 Ted Lemon
<mellon@xxxxxxxxx> wrote:
> That's really cool, and would have been useful to lead with. I've
> never heard of any of this. Your comments now make more sense. I
> was not intending to be snarky—you referred to an old printer,
> and I have never heard of anybody's printer doing this (I have my
> own printers and scanners, and they do not, for example), so I
> assumed this was some old idea that's no longer in use. I apologize
> for the misunderstanding.
>
> That said, a scanner that emails your scanned images in plaintext
> without using TLS is a serious security problem and should
> definitely be prevented from continuing to do that. It's a benefit
> to the end user to prevent this, not a loss of function. I would
> say that this is a strong argument in favor of requiring STARTTLS,
> not an argument against it.
Ted,
If you haven't read the note I sent a few minutes ago, please do so
first.
However, to the above... If I had a scanner like that (I think I
actually do, but don't configure it that way for reasons that have
nothing to do with security) I'd be horrified if it sent scanned
images in plaintext out over the public Internet or even over
unprotected WiFi connections. If I had users on my LAN whom I wanted
to keep isolated from some things I chose to scan (e.g., children and
some old jokes about feeelthy pictures might be useful here) or who
were, themselves, security risks, I'd want the scans encrypted or,
more likely to protect everything else by rethinking how my LAN was
organized. I'd also want to be sure I understood just exactly how
material that was being transmitted to my network-attached printers
was protected especially since, when last I looked, few new printers
even supported traditional serial or parallel hard-wired connections.
The latter wouldn't have anything to with SMTP, but that does not
change the problem.
It is starting to feel to me as if this discussion is moving away
from SMTP, especially when the hop-by-hop characteristics are
included. Would putting some language into the current I-D make some
of us feel that we are Doing Something, however slight, about the
problem and therefore signal virtue? Perhaps. But maybe the IETF
should be spending time making sure that there is good documentation
out there about how users can secure their LANs ("LAN Privacy and
Security for Dummies", John L.?). I'm also starting to imagine an
RFC, perhaps an April 1 one, titled something like "First Principle
of Internet Privacy and Security: Don't be careless or stupid".
Volunteer authors or co-authors welcome :-).
john
--
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
