Re: "If you DON'T use encryption, you help the terrorists win"
On Wed, Oct 29, 2003 at 11:28:08AM -0500, Sunder wrote:
The biggest hurdle and the thing that will have the most effect is to have every MTA out there turn on Start TLS. It won't provide a big enhancement
For the record: it's unreasonably difficult (for a pedestrian sysadmin such as me) to set up StartTLS. Debian unstable ships with postfix-tls (albeit not installed as default), but apt-get install postfix-tls doesn't take care of the self-signed cert generation, and setting up /etc/postfix/main.cf for StartTLS support. It would be a most cypherpunkly undertaking to get that package to do that. (I have no idea how Debian packages work, unfortunately).
in terms of security at the ISP level, but it will blind the global content search engines everywhere. Except, of course, at those ISP's already infected by carnivore boxes - which at least aren't allowed by law to capture all traffic, but I wouldn't put money that they'd follow it.
So the first course of action is to convince MTA authors everywhere to enable and turn this on. Later, they could drop support for non-TLS traffic. It could also help against spamming somehow, as it will cost the spammer a few more CPU cycles. (But this will be a very weak deterrent against spam.)
-- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 0.97c removed an attachment of type application/pgp-signature]
The push to do that should be aimed at the MTA authors and package organizers. If you can get it turned on by default, you're half way there. Last time I tried to fuck with this on qmail, I had to patch qmail to support it. Not something I'd like to do again - hopefully it's changed a bit.
From 1st hand experience - it is indeed a pain in the ass.
But if you can get the big projects to turn it on by default for all/most of the MTA's, then you can push the bigger fish to do so as well. I'd start with OpenBSD - they're likely to be friendlier to the idea. Then you can push FreeBSD, NetBSD, RedHat Linux, Mandrake, and so on... Then the MTA authors, then Solaris (which seems to be bent on copying whatever Linux does) and so on.... Strangely enough, I recall that of all the entitites, out there MSFT had implemented some sort of secure SMTP in somne version of IIS.. like 4.0... Not sure about Exchange and its ilk... ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------ On Wed, 29 Oct 2003, Eugen Leitl wrote:
On Wed, Oct 29, 2003 at 11:28:08AM -0500, Sunder wrote:
The biggest hurdle and the thing that will have the most effect is to have every MTA out there turn on Start TLS. It won't provide a big enhancement
For the record: it's unreasonably difficult (for a pedestrian sysadmin such as me) to set up StartTLS. Debian unstable ships with postfix-tls (albeit not installed as default), but apt-get install postfix-tls doesn't take care of the self-signed cert generation, and setting up /etc/postfix/main.cf for StartTLS support.
It would be a most cypherpunkly undertaking to get that package to do that. (I have no idea how Debian packages work, unfortunately).
also sprach Eugen Leitl <eugen@leitl.org> [2003.10.29.1857 +0100]:
For the record: it's unreasonably difficult (for a pedestrian sysadmin such as me) to set up StartTLS. Debian unstable ships with postfix-tls (albeit not installed as default), but apt-get install postfix-tls doesn't take care of the self-signed cert generation, and setting up /etc/postfix/main.cf for StartTLS support.
It would be a most cypherpunkly undertaking to get that package to do that. (I have no idea how Debian packages work, unfortunately).
I will forward this to the appropriate people. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! "i must get out of these wet clothes and into a dry martini." -- alexander woolcott [demime 0.97c removed an attachment of type application/pgp-signature]
participants (3)
-
Eugen Leitl -
martin f krafft -
Sunder