22 Aug
2017
22 Aug
'17
1:06 a.m.
On 21/08/17 22:18, Joseph Tam wrote:
Lest anyone think STARTTLS MITM doesn't happen,
https://threatpost.com/eff-calls-out-isps-modifying-starttls-encryption-commands/109325/3/
Not only for security, I prefer port 993/995 as it's just plain simpler to initiate SSL from the get-go rather than to do some handshaking that gets you to the same point.
Frankly, after reading the above link and some more info on the internet on the subject, I am now wondering why do we bother at all with STARTTLS for imap, pop3 and even smtp (and by the way, port 465 for SMTP + SSL/TLS *is* indeed deprecated officially)? It would appear that STARTTLS is significantly more vulnerable to MITM attacks than plain SSL/TLS for all the above protocols. Is the slight extra convenience of opportunistic encryption really worth the substantial loss in security?