On Sun, 9 Mar 2003 16:06:43 +0000 Giuliano Gavazzi <eximlists@???> wrote:
> Sorry for the OT, but I have just noticed that the latest Eudora is
> negotiating a different encryption with my server, this is documented
> in the release notes for that version (the MacOSX 5.2.1b5 version).
>
> Previously it would get a TLSv1:DES-CBC3-SHA:168, now (5.2.1b5) it
> gets a TLSv1:RC4-SHA:128. Is this much weaker (I am not really that
> concerned..)?
RC4 is indeed a weaker than 3DES (DES-CBC3 is OpenSSL speak for 3DES
in Cipher Block Chaining mode.)
for SMTP over TLS, for garden variety personal email, it's hardly a crisis.
if you seriously need encrypted email, you should go with a PGP/GPG
solution rather than depending on the distinctly weaker SMTP over TLS
approach anyway. SMTP over TLS is fine as far as it goes, but it's not an
end-to-end solution and authentication is limited to server and client
authentication (where it is done at all), rather than personal
authentication (which PGP/GPG can provide.)
richard
--
Richard Welty rwelty@???
Averill Park Networking 518-573-7592
Unix, Linux, IP Network Engineering, Security
