Interception Modernisation Programme
Ian Batten
ukcrypto at chiark.greenend.org.uk
Thu, 9 Oct 2008 15:16:55 +0100
>>
>> Virtually all webmail traffic is HTTPS
>
> You'd think so wouldn't you ....
And worse, there are plenty I've seen which provide https if you
initially contact them that way, but don't force https if you contact
them over http. I do this:
<VirtualHost mail.batten.eu.org:80>
ServerName mail.batten.eu.org
RewriteEngine on
RewriteRule .* https://mail.batten.eu.org:443/squirrelmail/
[R=permanent,L]
</VirtualHost>
and then avoid weak encryption:
SSLCipherSuite MEDIUM:HIGH:!3DES:!ADH
(I'd like to do kEDH+aRSA:!aNULL:!LOW:!EXPORT for PFS but it doesn't
work with iPods and iPhones).
but I suspect few commercial services are as punctilious about
preventing stray unencrypted or notionally encrypted access.
ian