On Fri, Sep 06, 2013 at 12:03:56PM -0700, Michael Thomas wrote:
On 09/06/2013 11:19 AM, Nicolai wrote:
That's true -- it is far easier to subvert email than most other services, and in the case of email we probably need a wholly new protocol.
Uh, a first step might be to just turn on [START]TLS. We're not using the tools that have been implemented and deployed for a decade at least.
Received: from sc1.nanog.org (sc1.nanog.org [50.31.151.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by leitl.org (Postfix) with ESMTPS id 57418543E4D for <eugen@leitl.org>; Fri, 6 Sep 2013 21:06:34 +0200 (CEST) Received: from localhost ([::1] helo=sc1.nanog.org) by sc1.nanog.org with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from <nanog-bounces@nanog.org>) id 1VI1KX-000CSi-NT; Fri, 06 Sep 2013 19:04:29 +0000 Received: from mtcc.com ([50.0.18.224]) by sc1.nanog.org with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from <mike@mtcc.com>) id 1VI1KH-000CQe-Mt for nanog@nanog.org; Fri, 06 Sep 2013 19:04:13 +0000 Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id r86J3uVr017222 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 6 Sep 2013 12:03:57 -0700 -- doesn't do PFS, unfortunately. Everything should be doing PFS, now that we know.