Subj : Security To : Michiel van der Vlist From : Alan Ianson Date : Sun May 03 2020 11:39 am Hello Michiel, AI>> Binkp over TLS is secure and provides privacy in a new and robust AI>> way. MV> Security against what threats and privacy against which snooping eyes? Actually, TLS is not really new. It started as SSL from a bygone era and TLS is what we have today. It has and continues to evolve. Snooping eyes are everywhere. They are unseen doing I don't know what. We have the technology and I suggest we use it. It already exists so we don't have to develop anything at all, we just need to support it. MV> The biggest potential invasion of privacy in Fidonet are sysops MV> snooping om in transit mail. TLS does not protect against that. That is true. We could (and I'm surprised we haven't) develop a way to encrypt tansit mail if we wanted too. Mystic does this. It has support for this by using an AES256 encryption key between links. If Mystic operators use this feature netmail between nodes is encrypted. I think this all happens when tossing so it (or something like it) could be used in Fidonet generally if the software supports it. I'm not sure if that would be better implemeted in the mailer or tosser. Probably the tosser. MV> The best strategy against snooping governments is to not be of MV> interest. I doubt TLS is safe against the resources of governments. TLS is open source. Governments could outlaw it if they wanted to raise the ire of the people but I don't think that is going to happen. AI>> It's a natural movement forward. MV> Binkd already has build in encryption. I do not think the added value MV> of TLS is worth the effort and overhead. Not for Fidonet... That was a very good addition that the binkd developers added to binkd at the time. It was powerful and ahead of it's time. That must have been twenty years ago when SSL was not largely known or easy to implement. That algorithm was also cracked about 20 years ago. It's still better than nothing but TLS would be a good addition today. The crypt option does not provide security today. AI>> It's not easy to do in all mailers, but if it was and it was AI>> supported and available by your links and your own mailer would AI>> you use it? MV> I don't know. If I'd have to go through the hassle of getting a MV> certificate and pay for it and renew it every tweo years, probably MV> not. And I do not trust LetsEncrypt. It's possible to use a self signed certificate. I don't know the ramifications of a self signed certificate vs letsencrypt but it might provide the security and privacy we need. Currently I use a certificate from letsencrypt. Ttyl :-), Al --- GoldED+/LNX * Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757) .