On Sat, Oct 31, 2015 at 07:15:51AM -0400, Watson Ladd wrote: > > STARTTLS is designed to thwart exactly one attack: *passive* wiretap. > > It works as designed for just that attack. It is not surprising > > that active attacks can and do defeat STARTTLS, > > Before STARTTLS adoption the Tunisian secret police read all your > emails. Afterwards they still do. What was gained? Let's try solving > that problem. Funny you should say that, that's a good part of what I've been doing for the past 2.5 years. However, simply having more SMTP servers feeling good about useless WebPKI certs is not the answer. Additional, downgrade-resistant out-of-band signalling is required as explained in RFC7435 and RFC7672. I've been working on one such signalling model that is gaining some initial traction. -- Viktor.