STARTTLS anyone? in http://www.dslreports.com/forum/r8766011 en Thu, 26 Nov 2009 17:20:38 EDT Thu, 26 Nov 2009 17:20:38 EDT Re: STARTTLS anyone? http://www.dslreports.com/forum/remark,8775092 koitsu : This is one of the most educational and thumbs-up-worthy posts I've seen on BBR in awhile (maybe I'm just not looking in the right places).

Incredibly useful, FO.

And likewise, I'm in the exact same boat you are. I too have the same qualms with coughing up large sums of money for SSL certs -- which would most definitely apply to Yahoo!'s new idea, albeit for a different technology -- and likewise have no desire to pay big bucks for CA-signed certs. I guess it depends on how much it costs.

Although nothing is going to stop a spammer from paying for a CA-signed cert. Even if it was US$1000, they'd pay it to continue to spam. You know how it goes... so really, what is Yahoo!s idea going to truly get us?
--
Making life hard for others since 1977.]]> http://www.dslreports.com/forum/remark,8775092 Sat, 13 Dec 2003 13:47:04 EDT Re: STARTTLS anyone? http://www.dslreports.com/forum/remark,8773214 nixen :
said by justin See Profile:
with huge volumes of mail pouring into yahoo each from a different IP, and claiming to be from a certain server, don't you need the existing scaled DNS infrastructure to cope with efficient local lookups and propagation of changes?

It would probably be possible to use the same key-propagation mechanism used in "standard" DNS signed zones. Of course, the only thing I've ever done even remotely close to that is setting up signature keyed remote zone updates. And, even if I did bother the secure my zone, unless the holders of .com were o set up a trust relation ship with me, my zone would only be locally secure. Given who holds .Com, I'm guessing the only way that's going to happen is if I buy SSL certificates for my DNS servers from Verisign (which sorta smacks of conflict of interest?).

And that's the real problem with this whole scheme: SSL certificates don't come cheap and only come through a few, select places. So, to fully secure email or to fully secure DNS, etc., someone like Verisign (ECH!) would be in a good position to make an awful lot more money than they already do just for secured web sites.

Unless GPG-style keyring servers were used, it's going to suck for small mail/DNS operators. It overall seems to be a way to eliminate use of personal mail servers and DNS servers, thus guaranteeing that every aspect of the Internet would become commercialized.

Is it necessarily a bad thing to be forced to rely on professional DNS and email services? It kind of depends on how good of a job you think they are or would likely do. I run my own DNS and SMTP servers because I have yet to find a provider that meets my needs for speed, flexibility and freedom from hassles like SPAM. My fear is, given a Yahoo scenario, I'd have to pay somebody to relay my emails.

-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron"]]> http://www.dslreports.com/forum/remark,8773214 Sat, 13 Dec 2003 09:18:38 EDT Re: STARTTLS anyone? http://www.dslreports.com/forum/remark,8769379 koitsu : Depends on how it's done. I was considering it TXT record per zone which contained a MD5 or Base64 version of a public key.

After thinking about it for awhile, I really don't see what this is going to do for people. I mean, we already have certificates available to sendmail and qmail via STARTTLS; why do we need one per zone?

It's possible I'm misunderstanding how Yahoo! wants to implement it, but of course the details are still kinda sketchy at this point.
--
Making life hard for others since 1977.]]> http://www.dslreports.com/forum/remark,8769379 Fri, 12 Dec 2003 20:32:14 EDT Re: STARTTLS anyone? http://www.dslreports.com/forum/remark,8766459 justin : with huge volumes of mail pouring into yahoo each from a different IP, and claiming to be from a certain server, don't you need the existing scaled DNS infrastructure to cope with efficient local lookups and propagation of changes?]]> http://www.dslreports.com/forum/remark,8766459 Fri, 12 Dec 2003 15:03:00 EDT STARTTLS anyone? http://www.dslreports.com/forum/remark,8766011 koitsu : Isn't this exactly what STARTTLS is for, re: certificate-based authentication using standard OpenSSL certificates and CAs? It sure isn't DNS-based (and I'm thankful for that; using DNS for this isn't a good idea, IMHO) either...

About 7-8 months ago, I posted something about STARTTLS in reference to a spam-oriented news post here on the forums. Some company was yapping and blabbing about a certificate-based method and calling it "revolutionary technology." STARTTLS had been around for a good 11-12 months prior to that.

Anyways, I congratulate Yahoo! in trying to do something about spam, but I must side with the bloggers -- so what? This isn't going to accomplish anything other than provide Yahoo! a way to make money off of something Verisign-style (re: signed CA/certs). It sounds to me like Yahoo! is slowly going down the same road as all the rest-of the "dot-com" ventures -- questionable motives. Sad too, since Yahoo! has been around since 1996 or so.

I think a much more effective method -- albeit not as immediately effective -- is something like this. Maybe it'll make adolescent DDoS-spammer kids change their minds and become real members of the working-class society. Get real jobs and contribute to the economy, you bastards...
--
Making life hard for others since 1977.]]> http://www.dslreports.com/forum/remark,8766011 Fri, 12 Dec 2003 14:05:04 EDT