RE: Norton AV 2002 rewriting SMTP, breaking TLS

["Owen, Greg" <Greg_Owen () vibren com>]

> I saw this behavior in Norton AV 2000.  After searching their 
> web site, I found the information saying that they just plain
> don't support SSL encrypted email.  You have to pick, auto-scan
> AV, or encrypted session.

        I ran into this bug (yes, I'll call it a bug) in Norton a few
months ago.  I can only say that there is a special circle in hell
reserved for companies which _silently_ disable security measures in
order to let their product carry out a procedure (especially a redundant
procedure).

        While we're on STARTTLS issues, another security issue people
should be aware of is that mail clients (I've seen this on OE, but I'm
betting it is pretty common) only use SSL for encryption, not
authentication.  In other words, if you just happen to be in a hotel
with one of those ethernet devices, and the hotel ISP happens to
silently redirect port 25 to their own SMTP relay, and their SMTP relay
supports STARTTLS with a valid certificate, then your mail client will
very happily transmit your SMTP AUTH credentials to their server,
thinking it is your own that it is talking to.  This one bit me at SANS
Orlando 2002 (Thank you, Marriot...)

-- 
        gowen -- Greg Owen -- greg_owen () vibren com
        Senior Network Engineer, Network Solutions Group
        Vibren Technologies, Inc.