On 19-08-15 08:30:27, Alice Wonder wrote:> e-mail by its very design is not secure, SMTP creates "Man In The > Middle" at every server along the way.DANE exists and mail servers like postfix support this. My logfiles show me that mail.centos.org delivers straight to me without any servers along the way.> I'm not saying they shouldn't implement TLS on the list server, just > not sure what the privacy or security benefit really would be.Encryption ensures that third parties simply cannot follow their "collect all" strategy.
On 08/19/2015 09:24 AM, Kai Bojens wrote:> On 19-08-15 08:30:27, Alice Wonder wrote: > >> e-mail by its very design is not secure, SMTP creates "Man In The >> Middle" at every server along the way. > > DANE exists and mail servers like postfix support this. My logfiles > show me that mail.centos.org delivers straight to me without any > servers along the way.DANE just pins the certificate.> >> I'm not saying they shouldn't implement TLS on the list server, just >> not sure what the privacy or security benefit really would be. > > Encryption ensures that third parties simply cannot follow their "collect > all" strategy.That's a fair point.
On 19/08/15 17:50, Alice Wonder wrote:> > > On 08/19/2015 09:24 AM, Kai Bojens wrote: >> On 19-08-15 08:30:27, Alice Wonder wrote: >> >>> e-mail by its very design is not secure, SMTP creates "Man In The >>> Middle" at every server along the way. >> >> DANE exists and mail servers like postfix support this. My logfiles >> show me that mail.centos.org delivers straight to me without any >> servers along the way. > > DANE just pins the certificate. > >> >>> I'm not saying they shouldn't implement TLS on the list server, just >>> not sure what the privacy or security benefit really would be. >> >> Encryption ensures that third parties simply cannot follow their "collect >> all" strategy. > > That's a fair point.But it's a public mailing list?? I can understand why you may want to send some mail encrypted point to point, but not when you then publish said mail on a publicly accessible archived list. It's just adding unnecessary overhead.