Skip to Content [alt-c]


In reply to Comment by Reader Charles

Andrew Ayer on 2014-08-13 at 14:35:

The client has to know that the server supports TLS somehow. Someone else mentioned DNSSEC+DANE, but that's not widely deployed and it's questionable whether it ever will be.

In practice the way it works with mail clients is you tell it when configuring your account. For example Thunderbird has a drop-down box called "Connection Security" with the options "None", "STARTTLS", and "SSL/TLS". (Many mail clients have something similar.) The concern is that the "STARTTLS" would be vulnerable to the downgrade attack, while "SSL/TLS" wouldn't be. (Note: I'm extremely confident Thunderbird does this correctly. The concern is with other, less widely used software.)


Post a Reply

Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with > are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim (good for code).
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.