BBC 'vague' reporting again!
Dave Howe
ukcrypto at chiark.greenend.org.uk
Thu, 04 Dec 2008 08:03:50 +0000
Brian Morrison wrote:
> On Tue, 2 Dec 2008 09:41:10 +0000
> Roland Perry <lists@internetpolicyagency.com> wrote:
>
>>> and if there were any use of TLS, not even get them current
>>> traffic without having to demand the TLS keypair from the ISP (and not
>>> even then, if PFS modes are in use)
>> In theory I can exchange email with my office (aka home) on an ssh
>> tunnel and therefore have no ISP servers, or external unencrypted
>> traffic, involved at all. But it's all a bit too fiddly.
>
> It is? Surely it just happens automagically with very little
> configuration by simply ticking SSL and TLS modes in all the software
> that has them?
He specified SSH tunnels, not TLS - which TBH are slightly harder to
configure, and require ssh access to the mailservers themselves if they
are to be end-to-end. Personally, I would love to see TLS more widely
adopted, but its amazing how few mailservers bother. To pick two -
Google mail, while *insisting* on client auth, doesn't bother to send
TLS even if the target server advertises STARTTLS in its ehlo reply, and
the NHS mailservers by default *advertise* STARTTLS, but drop the link
if you attempt to use it from outside the CFH network (ie, from the
internet that most needs it. Although given the recent worm outbreak
spreading like wildfire on N3, I think they may have the more insecure
end of the wire well pegged :)