The "dumpsterfire" mailing list is for the discussion of security and
privacy issues related to the IoT (Internet of Things). Arguably,
the entire IoT *is* a security and privacy issue, but we'll get to that
in good time.
If you want to join, you can either use the list's web page:
It's not the best-connected or most powerful server, however it's been
running a bunch of public/private mailing lists for many years and
for that purpose, it's sufficed nicely. (That's one of the many major
advantages of mailing lists over web forums: they don't need much in
the way of connectivity, bandwidth, or horsepower.) Sure, I'd like
to have bigger/better/faster/more, but since I'm paying for this
out of my own pocket...
asks for a "password" which is then transported over clear text. The year
is 2019 and there's always letsencrypt SSL certs. Admittedly, mailman does
send you the password in clear text over SMTP if you ask for it.
-andreas
To borrow a quote: The 'S' in IoT stands for 'Security'.
> but if done right, fwiw, wouldn't that
> be sent over SMTP using TLS encryption
So STARTTLS strip is not a problem anymore?
If you deploy DANE (client and server sides) then stripping STARTTLS is
ineffective for the target domain.
We (isc.org) have but gmail.com hasn’t (server side at least). On could be
asking why you are using gmail.com when they don’t care enough to signal to
the world that STARTTLS is supported and should be there in the EHLO.
11 Jan. 2019 г., 23:19 Mark Andrews <marka@isc.org>:
So STARTTLS strip is not a problem anymore?
If you deploy DANE (client and server
sides) then stripping STARTTLS is
ineffective for the target domain.
If you defer to send (and finally bounce) everything targeted at a domain that fails TLSA lookup, then fair enough. I don’t think this is (and is going to be in the near future) the case for the dumpsterfire mailing list, but you may rightfully assume I haven’t checked yet.
but if done right, fwiw, wouldn't that be sent over SMTP using TLS encryption?
Oy vey. in-flight vs at-rest encryption. <facepalm>
which is why i said "fwiw", acknowledging upfront that TLS transmission encryption has a limited scope. I guess you missed that? But I was specifically replying to a complaint about passwords being sent in plain text, and I was suggesting that TLS would solve that problem. At that point in the discussion, it wasn't a discussion about all things encryption. ("context" is very helpful - are you still facepalming?)