On 3/25/2015 6:59 AM, James Knott wrote:
StartTLS is one method of doing that. To clarify, the choices are plain text, specific configuration for SSL/TLS, which requires the other end also be configured for it and a different port number, or StartTLS, which uses the same port numbers as
On 03/25/2015 08:40 AM, Per Jessen wrote: plain text, but TLS is negotiated, when available.
ANY man in the middle can suppress a negotiated TLS when using STARTTLS. All they have to do is strip the server's reply of the STARTTLS capability, or drop your client's request to starttls. Several big ISPs were caught doing this which is why StartTLS is a bad idea. https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org