undefined | Better HN

0 pointsjustsomehnguy3y ago0 comments

> That's obviously false if you bothered to do a bit of searching

Technically correct, best kind of correct.

Sure, it is not plaintext, but anyone with the access to the wire could MITM the connections. Maaaaybe something changed in the last ten years, but I never seen someone not accepting a connection with a self-issued certificate and any warnings (to the end user) if the receiver uses self-issued cert. Which makes the whole point quite moot.

0 comments

gruez3y ago

>but anyone with the access to the wire could MITM the connections. Maaaaybe something changed in the last ten years

The section on MTA-STS describes how that attack is mitigated.

justsomehnguyOP3y ago

> mitigated

For this attack to be mitigated everyone should implement it. Gmail and Live.com has MTA-STS records, Fastmail doesn't, one regional provider with millions of accounts doesn't have it too.

And finally your MTA should support it and be configured to deny the delivery if MTA-STS validation fails (and adversary, who is happily MITMing your traffic, shouldn't fiddle with DNS and HTTPS and of course blocking HTTP/S from the MX would be considered cheating!).

All in all, SMTP traffic is encrypted, but it is not secured.

j / k navigate · click thread line to collapse