[unisog] Gmail for the University

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Thu Mar 2 04:51:39 GMT 2006


On Tue, 28 Feb 2006 09:23:06 EST, Michael Holstein said:

> Encrypting *access* and *transmission* (by using STARTTLS on SMTP and 
> POP/IMAP, or HTTPS on www) is another matter, but since so few sites by 
> default will do that, it's a non-issue at this point.

Actually, I've been tracking that (on a moderately large Listserv machine
that I've given a self-signed cert(*) so STARTTLS will function). From
Tuesday's outbound statistics:

Off-campus connections/delay stats
31266 connections with Total: 51,169 deliveries

STARTTLS stats
   2037 version=TLSv1/SSLv3, cipher=AES256-SHA, bits=256/256
   1292 version=TLSv1/SSLv3, cipher=DHE-RSA-AES256-SHA, bits=256/256
    515 version=TLSv1/SSLv3, cipher=EDH-RSA-DES-CBC3-SHA, bits=168/168
    398 version=TLSv1/SSLv3, cipher=DES-CBC3-SHA, bits=168/168
    219 version=TLSv1/SSLv3, cipher=RC4-MD5, bits=128/128

So about 14% of the time, the host at the other end is willing to do STARTTLS
when a machine calls with a self-signed cert.  I've been watching for remote
hosts that complain about the self-signed cert - and I've yet to see one.

(*) Yes, if everybody used a self-signed cert, that doesn't prevent an active
MITM attack.  However, it *does* effectively stop a passive sniffing attack,
and until we get real DNSSEC fully deployed, there's still the hole of a forged
DNS reply with a fraudulent MX pointing at a mail server that has a proper
certificate for itself (see the recent phishing run on Mountain America - the
real site was mntamerica.org, the phish pointed at https://www.mountain-america.net
which had a valid SSL cert issued by Equifax...)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20060301/2bef2fe4/attachment.bin


More information about the unisog mailing list