Hi Jeremy,
Thanks for clarifying this point yet anyhow even from general point of
view in terms of security, over SSL seems to be more secure than
STARTTLS since it sends data in all circumstances in separate commands
once and after ssl session has been established, verified and connected
while in STARTTLS it seems that it can send sensitive data as part of
STARTTLS command and if one is able to degrade STARTTLS connection
using some of the MITM techniques then connection data can be exposed
over HTTP. Notice, I reached this conclusion despite there is no
partically working POC i.e. real vulnerability and merely recommended
using over SSL as oppose STARTTLS. If this conclusion too is not true
then I would appreciate your final comment.
Again, thanks.
Zakaria.
On 7 Feb 2022 22:51, Jeremy Harris via Exim-users <exim-users@???>
wrote:
On 07/02/2022 22:15, Zakaria via Exim-users wrote:
> it seems
> STARTTLS is prune to some attack vectors, refer
> tohttps://nostarttls.secvuln.info/
The report there is bogus with respect to Exim.
--
Cheers,
Jeremy
--
## List details at
https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/