North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Microsoft announces new ways to bypass security controls
Speaking on Deep Background, the Press Secretary whispered: > > > > We see that even when we offer POP with SSL and SMTP AUTH with SSL, few > customers wind up using it. That there are continuing problems with the > commercial certificate infrastructure doesn't help matters. > > Examples of the problems: > > 1. Eudora contains root certificates only for Verisign and Thawte, and uses > its own root certificate store, whereas Microsoft client tools (for all > their other weaknesses) include a much broader array of root certificates. > If you want to buy certs from someone other than Verisign (since they own > Thawte) you have to talk users through integrating other root certs (or > your cert) into their copies of Eudora. Or just use a private CA and talk > your customers through importing the root cert from your private CA. While the approval process for other certs in Eudora is obscure, it at least works. I ran into a brick wall trying to get Infernal Exploder for the Mac to accept same; the Windows version was not a problem. > 2. SSL incompatabilities: Eudora changed their method of negotiation with > Eudora 5.2 and later. The result is an inability to negotiate TLS with > Sendmail/Openssl. A configuration parameter in Eudora gets it to go back to > the "old way" in their code, which works fine. But now we're talking about > another case of talking an end user through a configuration. Might be OK > for a corporate setting, but it gets pretty problematic for the ISP. Note Eudora 6.0 has a public configuration setting for the flavor of SSL.[1] Yes, it should be automagic but "the nice thing about standards in this industry..." applies lots of places... > We've clearly got the mechanisms to allow encryption on the most important > of the protocols. However the infrastructure and compatability issues make > them more difficult to employ than should be the case. > > That these problems show up at networking conferences (IETF, NANOG, etc.), > though, really points to a larger problem. If network research, engineering > and operations folks can't manage to get encryption deployed for > themselves, how likely is it that end customers will use them? WhatHeSaid. We really need to do a better job of begging/cajoling/requiring encryption. I know one ISP that requires POP/SMTP be on SSL unless you're on their dialup, and I've heard Worldnet does too. [true?] The rest? [1] At least in the Mac version I can lay hands on.. -- A host is a host from coast to [email protected] & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
|