Security Basics mailing list archives
Re: Opportunistic TLS on mail servers
From: ad33lh () gmail com
Date: Tue, 24 Mar 2009 08:31:47 -0600
Hello, While any improvement you can make to security of your companies data is a good move you must be very careful how you propose and present any "opportunistic" solution. The main problem in this is that not all traffic will be encrypted (even if 95% is that still leaves 5% that is not). This leads to a false sense of security on the part of the users, management and support staff. Now you may argue that "we are doing this in the background without the end users knowing" - Great, thats how it should be done. But, that doesn't mean that word is not going to get out and people won't rely on what is essentially an unreliable solution. Let me use an example. To make the changes you will need management approval and support staff collaboration (assumptions I know but reasonably safe ones). So now the management is in discussions with internal groups, external clients or prospective customers and is asked if his company secures the data. "Oh, yes," the manager says, "we encrypt our email." The third party is happy and does business with your company only to have emails intercepted and disclosed proving to be very embarrassing and damaging. They then proceed with legal action as your "product" was represented as a secure and encrypted solution when it wasn't. As far as the end user goes the answer to "is my email safe" should always be an absolute and no is the safer absolute. Even in instances where secure TLS connections are established between companies the end user should still be told that their emails are not secure. This way they do not think the security between you and organization X extends to their friends and family. The assumption of security your solution may create could be more damaging to the company than not encrypting anything. Adeel ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Opportunistic TLS on mail servers steve . dake (Mar 13)
- Re: Opportunistic TLS on mail servers Eray Aslan (Mar 16)
- Re: Opportunistic TLS on mail servers Gustavo Castro (Mar 16)
- Re: Opportunistic TLS on mail servers Aarón Mizrachi (Mar 19)
- Message not available
- Re: Opportunistic TLS on mail servers Aarón Mizrachi (Mar 24)
- Message not available
- <Possible follow-ups>
- Re: Opportunistic TLS on mail servers Andre Pawlowski (Mar 17)
- Re: Opportunistic TLS on mail servers ad33lh (Mar 24)