Skip to Content [alt-c]

Comment

In reply to Comment by Reader Charles

Andrew Ayer on 2014-08-13 at 14:35:

The client has to know that the server supports TLS somehow. Someone else mentioned DNSSEC+DANE, but that's not widely deployed and it's questionable whether it ever will be.

In practice the way it works with mail clients is you tell it when configuring your account. For example Thunderbird has a drop-down box called "Connection Security" with the options "None", "STARTTLS", and "SSL/TLS". (Many mail clients have something similar.) The concern is that the "STARTTLS" would be vulnerable to the downgrade attack, while "SSL/TLS" wouldn't be. (Note: I'm extremely confident Thunderbird does this correctly. The concern is with other, less widely used software.)

Reply

Post a Reply

Your comment will be public. If you would like to contact me privately, please email me. Please keep your comment on-topic, polite, and comprehensible.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with ">" are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim.
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.