Subj : Security To : Alan Ianson From : Michiel van der Vlist Date : Tue May 05 2020 09:45 am Hello Alan, On Sunday May 03 2020 11:39, you wrote to me: MV>> Security against what threats and privacy against which snooping MV>> eyes? AI> Actually, TLS is not really new. It started as SSL from a bygone era AI> and TLS is what we have today. It has and continues to evolve. I know TLS is not new. AI> Snooping eyes are everywhere. They are unseen doing I don't know what. AI> We have the technology Do we? Or do we just think we have? If you do not know against what or who you are protecting, how do you know the defence is effective. Or if it is working at all? MV>> The biggest potential invasion of privacy in Fidonet are sysops MV>> snooping om in transit mail. TLS does not protect against that. AI> That is true. We could (and I'm surprised we haven't) develop a way to AI> encrypt tansit mail if we wanted too. We already have that for 25 years. I aleady used PGP to encrypt netmail in the mid nineties. I wrote a utility for it that scanned *.msg for cerain strings and call PGP to encrypt the text. The problem was that few sysops would route encrypted mail.... AI> Mystic does this. It has support for this by using an AES256 AI> encryption key between links. If Mystic operators use this feature AI> netmail between nodes is encrypted. I think this all happens when AI> tossing so it (or something like it) could be used in Fidonet AI> generally if the software supports it. I'm not sure if that would be AI> better implemeted in the mailer or tosser. Probably the tosser. Probably a dedicated utility like my IMCRYPT. MV>> The best strategy against snooping governments is to not be of MV>> interest. I doubt TLS is safe against the resources of governments. AI> TLS is open source. These days open source is no guarantee that you know exactly what is going on. There is too much under the hood... AI> Governments could outlaw it if they wanted to But they don't. so I suspect they heve already cracked it or have other ways to circumvent. AI> raise the ire of the people but I don't think that is going to happen. AI>>> It's a natural movement forward. MV>> Binkd already has build in encryption. I do not think the added MV>> value of TLS is worth the effort and overhead. Not for Fidonet... AI> That was a very good addition that the binkd developers added to binkd AI> at the time. It was powerful and ahead of it's time. [..] AI> That algorithm was also cracked about 20 years ago. It's still better AI> than nothing but TLS would be a good addition today. The crypt option AI> does not provide security today. I know it is not perfect. But so are the locks on my house. They are not perfect. They will not stop a sufficiently equiped and determined intruder. But it will stop enough. AI>>> It's not easy to do in all mailers, but if it was and it was AI>>> supported and available by your links and your own mailer would AI>>> you use it? MV>> I don't know. If I'd have to go through the hassle of getting a MV>> certificate and pay for it and renew it every tweo years, MV>> probably not. And I do not trust LetsEncrypt. AI> It's possible to use a self signed certificate. That is the equivalent of someone saying "trust me". I never trust people who say that. AI> I don't know the ramifications of a self signed certificate vs AI> letsencrypt but it might provide the security and privacy we need. AI> Currently I use a certificate from letsencrypt. I don't trust LetsEncrypt. For a variety of reasons. What is their bussines model? If ot sounds to good to be true it usually isn't. Plus that it is a US compamy, subject to the Patriot Act. A couple of years ago a Dutch company issuing certaificates was hacked. All the cerificates were compromised. Google for DigiNotar. Anyway, binkd over TLS is not on mt wish list. I'd prefer it if the developers spend theiir time and energy on other issues. Cheers, Michiel --- GoldED+/W32-MSVC 1.1.5-b20170303 * Origin: http://www.vlist.eu (2:280/5555) .