Saving Opportunistic Encryption

Eugen Leitl eugen at leitl.org
Wed Mar 17 11:33:19 PST 2004


On Wed, Mar 17, 2004 at 03:09:54PM +0000, petard wrote:

> There's a well-supported extension for that: http://enigmail.mozdev.org/
> Actually, plans are in the works to make S/MIME an extension as well, so
> the two will soon be on equal footing.

PGP/GPG has failed to protect the bulf of email for same reason as FreeS/WAN
failed to protect the bulk of TCP/IP traffic. In comparison, opportunistic
encryption via StartTLS has been a modest success, simply because it's so
easy to deploy at MTA level (it would be a lot more successfull, if
postfix/exim/qmail shipped with working StartTLS, or at least apt-get install
yourMTAhere-tls would set up the certs and config properly).

Purists would scoff that plaintext is default fallback, hence initial key
setup easily disruptable, and MITM, and whatnot. However, if keys are cached,
key changes and sudden reverts to plain for known hosts are logged, and key
fingerprints for hosts crosscorellated, potential meddling becomes far easier
to detect, and if only after the fact. Passive taps are easy, stealthy active
traffic manipulation, on a large scale? Could as well look out for fecal
precipitation from porcine aviation.

Should it happen, upgrading to a web of trust is always an option.

--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net

[demime 1.01d removed an attachment of type application/pgp-signature]





More information about the cypherpunks-legacy mailing list