funsec mailing list archives
Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups)
From: Dan White <dwhite () olp net>
Date: Tue, 13 Oct 2009 10:36:00 -0500
On 13/10/09 10:58 -0400, Rich Kulawiec wrote:
On Tue, Oct 13, 2009 at 09:27:46AM -0500, Dan White wrote:Sure it would. The idea of an IPSEC enabled PKI is that you have end-to-end security, with perhaps many untrusted networks in the middle. It means two-way trust.Which is a nice idea, but increasingly meaningless in a world where there are, at minimum, a hundred million already-compromised systems (I think 200M is now a better low-end estimate), more every day, and every possible reason to expect this problem to keep getting worse. End-to-end security is worthless if one end is already enemy territory.
There is a difference. SMTP is not based on end-to-end security. It's based on a chain of trust, and most of the chains have absolutely no security - if I send email to AOL, they pretty much have to trust me. I don't verify who I am. If I'm an ISP and I accept email from a customer (because they're on my network, or they authenticate to me), I relay their email to AOL, and I can't reliably tell that it's SPAM. To compound the issue, the From and To headers don't really have anything to do with how emails get routed, which still confuses my customers - "but someone must have hacked my email account. They sent an email to someone else as me, and the bounce came back to me instead!" If email was based on end-to-end security, then SPAM is a problem between two specific users of the internet (my residential broadband customer and an AOL user). I don't have much care in whether that AOL user stops accepting email from my user. But I certainly *do* care of AOL stops accepting all email from all of my customers because they've decided to blacklist our relay server. To be fair, AOL is really good about not letting this happen, but a lot of other providers depend on 3rd party lists when determining who not to accept email from. SMTP needs to go away, and be replaced by something that resembles end-to-end messaging passing, rather than the horrible touchy feely pseudo-chain-of-trust that it is today. -- Dan White _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: dumb. Comcast pop-ups, (continued)
- Re: dumb. Comcast pop-ups Jon Kibler (Oct 10)
- Re: dumb. Comcast pop-ups Alex Lanstein (Oct 10)
- Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 11)
- Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Larry Seltzer (Oct 11)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Larry Seltzer (Oct 12)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Valdis . Kletnieks (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Valdis . Kletnieks (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 16)
- Re: dumb. Comcast pop-ups Alex Lanstein (Oct 10)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) G. D. Fuego (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) G. D. Fuego (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Larry Seltzer (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) G. D. Fuego (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) chris (Oct 17)
- Re: dumb. Comcast pop-ups Jon Kibler (Oct 10)