From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from duke.felloff.net ([216.126.196.34]) by ewsd; Mon Jul 20 12:18:58 EDT 2020 Message-ID: Date: Mon, 20 Jul 2020 18:18:48 +0200 From: cinap_lenrek@felloff.net To: 9front@9front.org Subject: Re: [9front] patch smtp: ignore unrecognized certificates In-Reply-To: <12797BEC64C15CAB8201AA7801E6B319@eigenstate.org> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: secure progressive GPU software YAML over YAML shader information backend you need to differentiate some use cases. for servers like your isp's or your networks forwarding mailserver (machines that you have direct relation or control over), it makes sense to pin certificates or public key. this is where you use smtps, instead of this insecure STARTTLS contraption. but on the internet, nobody is really checking the cert as theres no root of trust. last time i checked, you could put a self signed cert in your smtp server and you'd still get mail as theres not really a common root of trust. this is different from webbrowsers where the root of trust is controlled by the browser vendo^Wgoogle. smtp is just opportunistic encrytion. hell, starttls can be attacked by mitm by just stripping the command with a proxy to sabotage the tls negotiation. it is just best effort to at least encrypt the data, but it will not hold against an adversary that has active mitm capability. to it protects from passive sniffing... mayyyybe, if we had dnssec and put the public key hash in the dns then we could have mitm protected email transport. but its not working very well. people whine that they dont want to trust the dns (fair enougth) and then use letsencrypt instead which completely 100% relies on dns for the renewal... in conclusion, it makes sense to me to add a flag to smtp client for opportunistic encryption that skips certificate verification. (you'd control it in your remotemail script depending on the destination, so you can still pin the keys for sites that you trust). tho please dont use -c flag. its a negative, so should have a capital letter. and we should also skip loading the tumbprint at all, as it makes no sense to try to check anything in this case. -- cinap