Eric Murray <ericm@lne.com> writes:

On Wed, Aug 28, 2002 at 03:26:47PM +1200, Peter Gutmann wrote:

...

Eugen Leitl <eugen@leitl.org> writes:

(actually, I wrote:)

Oops, sorry, trimmed the wrong text.

...

...

It's relatively easy to turn on TLS in sendmail. It's not secure against active attackers that can modify the data in the TCP stream but it's better than nothing.

Actually it's better than any other mail security out there. See the slides for my talk at Usenix Security (http://www.cs.auckland.ac.nz/~pgut001/pubs/usenix02_slides.pdf) for more details (the StartTLS stuff is about halfway through).

It depends on how you define "better".

Currently the amount of my mail protected by traditional means is essentially nonexistant. I get one piece of PGP-encrypted mail every month or two (and I was one of the peope who helped write the thing!) and I don't recall ever having received or sent any S/MIME-encrypted mail. OTOH something like 10-15% of all my mail is protected by STARTTLS, and the figure is rising continuously and will continue to do so (particularly if MS make some minor changes in Exchange which I've asked some people there about). It doesn't matter how many types of mail encryption software I have sitting unused on my hard drive, 10% (and growing) coverage with reasonable protection is better than 0% coverage with good protection. Peter.