Microsoft announces new ways to bypass security controls

Speaking on Deep Background, the Press Secretary whispered:

We see that even when we offer POP with SSL and SMTP AUTH with SSL, few
customers wind up using it. That there are continuing problems with the
commercial certificate infrastructure doesn't help matters.

Examples of the problems:

1. Eudora contains root certificates only for Verisign and Thawte, and uses
its own root certificate store, whereas Microsoft client tools (for all
their other weaknesses) include a much broader array of root certificates.
If you want to buy certs from someone other than Verisign (since they own
Thawte) you have to talk users through integrating other root certs (or
your cert) into their copies of Eudora. Or just use a private CA and talk
your customers through importing the root cert from your private CA.

While the approval process for other certs in Eudora is obscure,
it at least works. I ran into a brick wall trying to get Infernal
Exploder for the Mac to accept same; the Windows version was not
a problem.

2. SSL incompatabilities: Eudora changed their method of negotiation with
Eudora 5.2 and later. The result is an inability to negotiate TLS with
Sendmail/Openssl. A configuration parameter in Eudora gets it to go back to
the "old way" in their code, which works fine. But now we're talking about
another case of talking an end user through a configuration. Might be OK
for a corporate setting, but it gets pretty problematic for the ISP.

Note Eudora 6.0 has a public configuration setting for the flavor
of SSL.[1] Yes, it should be automagic but "the nice thing about
standards in this industry..." applies lots of places...

We've clearly got the mechanisms to allow encryption on the most important
of the protocols. However the infrastructure and compatability issues make
them more difficult to employ than should be the case.

That these problems show up at networking conferences (IETF, NANOG, etc.),
though, really points to a larger problem. If network research, engineering
and operations folks can't manage to get encryption deployed for
themselves, how likely is it that end customers will use them?


We really need to do a better job of begging/cajoling/requiring encryption. I
know one ISP that requires POP/SMTP be on SSL unless you're on their dialup,
and I've heard Worldnet does too. [true?] The rest?

[1] At least in the Mac version I can lay hands on..