SoylentNews is people
SoylentNews
This isn't really new news, but improperly configured mail services result in lots of privacy holes across the Internet.
STARTTLS is used to upgrade an unencrypted connection to an encrypted SSL/TLS connection. The problem is that if the upgrade fails, many mail clients will proceed to send mail on the unencrypted connection.
For any sysadmins (technical info):
Unfortunately, the situation is somewhat sticky. I suggest reading carefully the TLS/SSL section of https://wiki.debian.org/PostfixAndSASL as well as the STARTTLS RFC http://tools.ietf.org/html/rfc2487
Public email servers should not require STARTTLS (that is, encryption) on port 25 (smtp). Furthermore, there is no guarantee that all of the mail servers during transit of an email use encryption. Thus, you should assume your email is transmitted unencrypted, until a better solution emerges. You can always use OpenPGP to encrypt the body of your email, which should become commonplace shortly after Hurd achieves market dominance.
Editors Note: How to articles for various flavors of Microsoft Exchange can be found at MSExchange.org.
(Score: 3, Interesting) by VanderDecken on Monday November 02 2015, @04:35PM
It is true that getting a working GPG implementation is too difficult for most users and MUA built-in support is mostly dismal. There is much traffic on various crypto mailing lists about how things could be improved to the point that "Johnny's grandma can do it". (Please avoid going off on a tangent re sexist or age-ist related rants, please.) The biggest problem seems to come down to key management, including how do you Grandma to understand assymetric keys, why they are important, how the halves differ, and how to manage them. And then there is the web-of-trust thing. Through many conversations I have yet to see a proposed solution that both protects the user and is understandable. (Most arguments seem to approach things either from the "hide details from most users" camp that makes it hard for someone to understand when there's a problem, or the "we just need a nicer UI with this New and Shiny Paradigm that uses an analogy that breaks down just when it matters" camp.
If anyone could come up with a decent solution, there'd be a lot of people interested in it. And I don't mean coding it, I'm talking about just being able to describe it all in detail, with extra points for non-functional mockups. I don't propose SN as the right medium for the conversation, though ...
See also Why Johnny Can't Encrypt [usenix.org]
Regarding not having to configure SMTP/IMAP options in clients: Meh. Given that there are no reasonable defaults for the username/password pair (and thus they need to be entered anyway), I don't think that having to enter the hostname is particularly onerous. Things like port numbers already have defaults and don't need to be entered. Should they default to using crypto? Probably. But overall, especially that it's a one-time thing, I don't see configuring your email client to be that much of a hassle. Probably the closest thing would be to define preferred SMTP and IMAP servers in the DHCP response payload, but in the world of mobile computing I would say that such information is going to be wrong more often than not, anyway. (About the only time it would be helpful is in enterprise deployments, and client configuration there is already a solved problem anyway.)
The two most common elements in the universe are hydrogen and stupidity.
(Score: 2) by frojack on Monday November 02 2015, @09:48PM
It is true that getting a working GPG implementation is too difficult for most users and MUA built-in support is mostly dismal.
Not really. Thunderbird+enigmail has a wizard that walks you through the whole process.
The hardest part is KNOWING about the need for it. Once you get beyond that its easy.
Tbird also knows about ports and servers for all large mail hosts. Give it an email address and it can sus out what the host, ports, and protocols are.
No, you are mistaken. I've always had this sig.