Re: [exim] Why is STARTTLS preferred over tls_on_connect_por…

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Lars Mainka
Ημερομηνία:  
Προς: Tony Finch
Υ/ο: Exim Users
Αντικείμενο: Re: [exim] Why is STARTTLS preferred over tls_on_connect_ports?
> Actually the information in the HELO command is completely uninteresting
> to an attacker. The real reason that TLS-on-connect is more secure than
> STARTTLS is because it is more resistant to downgrade attacks. However
> this is mostly to do with the bad quality of implementation of most SMTP
> clients - they encourage users to make security optional rather than
> required, which makes the attacker's job much easier.


If STARTTLS is used as it should be, in example using strong certificate verifying, checking
encryption within the connection, strong authentication methods, denying weak ciphers and so on, you
should be as secure as with tls_on_connect.

Unfortunately the handling of the TLS/SSL implementations in clients are really bad and not
transparent.