[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 24 June 2002 10:49 am, Simon Waters wrote:
But the underlying idea is great.Wrong level - wire encryption ala IPSec achieves the same effect as MTA encryption but with out leaking the metadata to eaves droppers. It also encrypts the other traffic as well.
TLS (transport layer security) does that, too, and it's a lot more simple to use ;)
Problem is the key management issues, the only promising scheme I've seen so far is FreeSWAN opportunistic encryption (DNS security remain), although I plead ignorance of IPv6 intended schemes for key management.
We're using FreeS/WAN to connect all our hosting centres togather over vlan's, works very well - We also support oprtunistic encryption for a few of our services and offer customers FreeS/WAN VPN acceess to their subnet(s). the one big problem with FreeS/WAN is the seriously bad documentation. The other one is AHA packets can't be natted in any form, or auth fails. which is a right pain in the arse, considering many secure networks use NAT for security reasons.
Other wire level encryption can be done with free cipher schemes, and a little fiddling, in the style of PGP VPN but I haven't had the need.
we use the shiva boxes which do a good job now the OS has matured on them and support IPSEC standards, though it only took me 3 years of moaning at them to implement it ;p there is also SSH VPN (ppp over ssh) tunneling, which *can be* slow, but is very easy for the client to set up, and useful for a light conenction, others to look at are vtund, openvpn, tinc, secpvn, tunnelv, and of course vpnd.
I guess OpenSSL could also provider an easy encryption scheme for email, although I'm not clear how suitable it is encryptionwise, and I prefer the lower level stuff, less scope for confusion.
TLS is perfect for email - if you look at the headers of my mails you'll see right from when it leaves my desktop too when it leaves our network it's encrypted - if the servers beyond us support TLS, then the it uses it too. but whats the point in using it when all it needs is one hop while sending a mail for it in plain SMTP and you're message isn't secure - then of course it has to sit on the mail servers and passes through the risks of localhost snooping it, and evil postmasters. thats why layer 5 encyption will always be with us. some ISP's do support TLS, and we're probbaly seeing a few hundred mail servers per day that contact us and use STARTTLS (after EHLO), so it's getting more popular - if only all MTA's supported it then life would be so much nicer. TLS also has the added advantage you can swap certificates with other peers to make sure they are who they say they are. For example, my local mailserver has a client certificate that it uses when taling to mail.anlx.net, and only using that certificate can i relay mail through my mail server with my email address. but this brings us to the point that ISP's really don't *generally* give a shit about customers security, or even their own in many cases ;p it's always a constant strugle between security and ease of use for the (l)users. If life was perfect, and all users were smart, i'd disable POP3, SMTP, FTP, etc... but can't. users moan, they *want* to use the insecure protocols even when it means risking their security. eeven when there is a more secure option working (pop3s, imaps, stfp and scp). they just can't be arsed to learn something new, because they don't truly understand the risks involved to both them and us, the ISP. i only use woke up 10 minute ago, not even had coffine yet, so excuse the typos/mistakes etc ;) ~ Theo - -- Theo Zourzouvillys http://zozo.org.uk/ Accent on helpful side of your nature. Drain the moat. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9FwHM448CrwpTn6YRAt77AKCjMWWa0FgnkP95PN2dvZpkELAF7gCgoTrX mbJWWWf8iPryLqJkJrfrqa8= =ZZGX -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.