- cross-posted to:
- technology
- cross-posted to:
- technology
UK government is trying to get into iCloud end-to-end encryption. (Again?)
Makes me think about email servers too. Most of my private information is in emails, and not only I use a service where the host machines access the email, so do almost everyone I email to/from.
SMTP is only encrypted if the second server responds correctly to the first servers starttls.
The striptls type of attack, which prevents the servers from getting a valid starttls exchange, was in use over a decade ago by some telcom against its own customers.
Even if you know the person you’re emailing has a correctly configured client you can’t control a man in the middle attack between servers which has been in widespread use for years.
And SMTP/IMAP do not support end-to-end encryption, so a malicious server can still spy on you even if it uses TLS.