Re: Security for various IETF services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 16:08 06-04-2014, David Morris wrote:
I don't object to making TLS/et al access available when it can be
done at a moderate cost. But that is different than the implied
statement that the intent is to require TLS for future service
access.

I read the statement as being about not having recurring discussions about whether access to a future service will require secure access. That's worthwhile.

https://datatracker.ietf.org has links to http://tools.ietf.org/ and http://www.ietf.org. The "Search" link is to "www.google.com". jabber.ietf.org is listed as having the following issues:

  - Certificate is not trusted
  - Server allows SSLv2, which is obsolete and insecure.
  - Server does not support the newest version, TLS 1.2.

The mail service does not support STARTTLS.

The current guideline for services is "server security based on best-practices and data sensitivity level". There isn't any information about the best-practices for information which will be publicly available. Some people have been accessing (IETF) publicly available information using clear-text protocols for many years. The people do not consider "X is spying on you" as a reason to stop using those protocols.

A few months ago, a person (not in the IETF) posted the following comment:

  "I'd really like to know how secure this offer is before considering it...."

Regards,
S. Moonesamy




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]