On Tue, 1 Oct 2013, Todd Lyons wrote:
> On Tue, Oct 1, 2013 at 12:38 AM, Dr Andrew C Aitchison
> <A.C.Aitchison@???> wrote:
>> I for one *do* set tls_require_ciphers (though I currently use OpenSSL
>> not GnuTLS) - I dropped RC4 a couple of weeks ago after using
>> it for a couple of months to protect against the BEAST.
>
> I can see protecting against BEAST on the web where a session cookie
> is passed on every transaction. What utility does protecting against
> BEAST provide in an SMTP or SMTP Auth session? Help me think out of
> the box because I'm not seeing the usefulness.
At the time I couldn't get enough information to be sure that the
BEAST didn't apply to SMTP, so added RC4 ciphers to protect against it.
Now that nessus and ssl-labs think RC4 is a bigger problem
I'm prepared to trust that the BEAST isn't an issue with SMTP.
My starting point is that http ssl/tls vunerabilities should be
defended against in smtp/imap/ssh unless I can convince myself that
the vunerability doesn't apply.
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison@??? http://www.dpmms.cam.ac.uk/~werdna