back to article Who can save us? It's 2018 and some email is still sent as cleartext

The Internet Engineering Task Force (IETF) has emitted another small advance in its program to protect as much of the Internet as it can, with a request that email systems finish encrypting all their connections. In RFC 8314, Windrock's Keith Moore and Oracle's Chris Newman explain that there some interactions between email …

  1. Anonymous Coward
    Anonymous Coward

    IETF(ers)... In Lycra... More like in Zimmer frames and mobility scooters these days. We were taking bets a couple of IETFs back (I think it was the Berlin one) when will they mandate mobility scooter friendly chair arrangement in the meeting rooms.

    In Lycra... Ughh... Where is the mindscrub, I need to scrub that image off my cerebral cortex.

  2. Adam 1 Silver badge

    progress

    You are a bit glad half empty there. It was only three months ago that email that was explicitly set to encrypted was, er, well it was encrypted I guess, but importantly was also very much not encrypted. So we're making progress.

    1. big_D Silver badge

      Re: progress

      The other problem is, wow, the link between mail client and server is encrypted... Er, wait, the emails aren't encrypted, so anyone on the server can read them and they are (often) transferred in plain text between servers...

      It is like saying a car has airbags, but neglecting to mention it doesn't have brakes or seatbelts...

      1. Anonymous Coward
        Anonymous Coward

        Re: progress

        > It is like saying a car has airbags, but neglecting to mention it doesn't have brakes or seatbelts...

        I'm in the process of negotiating a new contract with a major computer vendor and they are demanding all sorts of security processes are put in place for data which they email to me. The other day I got to talk to their "security expert" and when I asked about how I could ensure the privacy of data which they just email out to all and sundry their expert maintained that email is encrypted.

        If even the people inside companies who are supposed to looking after these things don't understand the basics what chance is there of getting things fixed. Generally you can't get things fixed until everyone agrees there is a problem that needs fixing.

        At the moment there is no way to know whether any email you send is going to be encrypted over every MTA->MTA hop. The recipient can get an idea whether this might be the case if they bother to read the headers, but who's likely to do this all the time? (OK, people reading this probably do with emails we are suspicious of)

        When it comes to email it should be encrypted in the senders client and decrypted in the recipients client. Otherwise you have sod all security. The problem is that every major government is going to down vote that proposal as it falls fouls of their snoopers charters.

        Without end to end encryption we're just pissing in the wind.

        1. Lysenko

          Re: progress

          When it comes to email it should never be encrypted in the senders client and decrypted in the recipients client. Otherwise you have sod all security.

          Unfortunately, the above version is also sometimes true and the fact that this gets missed is indicative of a lack of threat modelling (probably the most pervasive security problem there is).

          From a corporate perspective, the threat posed by disgruntled/bent employees forgetting/changing a password may be far more serious than that posed by some emails getting read by the wrong person. A GDPR fine may be far less costly than a compliance failure that gets you shut down entirely. Rampant, untraceable insider trading that can't be detected because communications are encrypted point-to-point may be regarded as reckless negligence bordering on active facilitation.

          I'm not really disagreeing with your points, just noting that blindly cargo culting "best practices" can be a security threat in itself. That's why encrypted passwords (for example) do not always mean the designer is an idiot. The threat model may dictate that inability to break into someone's systems and communications is the primary threat that the design needs to address[1].

          [1] I'm discussing intranets and corporate. Not random TLA snooping on private citizens.

          1. Anonymous Coward
            Anonymous Coward

            Re: progress @Lysenko

            You are right, there is always the balance between is the security improved by being able to snoop or not being able to snoop.

            This is what governments are arguing for, 3 key encryption (one for the sender, one of the intended recipient and the magic fairy's one which unlocks everything and is impossible to steal, leak or be used in the wrong context to snoop on the wrong message).

            Surely from a corperate's perspective the way out is that they should be doing there snooping before you get to hit the send key and have your email encrypted. Since they own the client they are in position to put whatever monitoring regimes in place before the message in encrypted.

          2. Anonymous Coward
            Anonymous Coward

            Re: progress

            Indeed very different discussions when you're considering corporate and personal use (not use of personal email in a corporate environment which shouldn't be a use case due to the ubiquity of smart phones). I expect the security expert at the major computer vendor is trying to ensure that when your gateway sends mail to their gateway and vice versa it uses TLS (see https://www.checktls.com/live/index.html). That person may enquire about end-to-end encryption where they're specifically looking to achieve confidential communications to the individual but in the main it'll be to ensure that your email provider won't downgrade the connection and expose the mail contents over the internet. Of course as a supplier/partner they may have a ton of other security requirements not just related to email for you to comply with.

            1. Anonymous Coward
              Anonymous Coward

              Re: progress

              I expect the security expert at the major computer vendor is trying to ensure that when your gateway sends mail to their gateway and vice versa it uses TLS

              If only it were true. No their expert insisted that all email was encrypted regardless of who it was sent to. Their gw MTA uses TLS, my gw MTA uses TLS but since they also send the emails to various other people directly who use a variety of ISPs world wide I've no way of ensure that that the messages will stay encrypted. Oh yes and they have a pile of other security requirements, most of which are perfectly sensible. I've no idea how to implement change control in a world in which W10 exists though, things change if stuff still works in the morning then be thankful.

      2. Archtech Silver badge

        Re: progress

        OK, couldn't resist...

        "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench".

        - Professor Gene Spafford

        1. Charles 9 Silver badge

          Re: progress

          To which I'd respond, "Given neither end's gonna move, what do you suggest? They insist."

        2. Anonymous Coward
          Anonymous Coward

          Re: progress

          > Using encryption on the Internet is the equivalent of arranging an armored car to deliver...

          Relying on TLS for email is more like writing a postcard to your friend popping it in a locked pillar box and assuming all the mail men between there and your friend are going to keep their mail bags locked and that no one in the sorting office is going to have a quick read.

  3. Louis Schreurs BEng

    Yeah,

    I read the title as:

    Who can have sex? ......

    Freudian reading?

    1. Doctor Syntax Silver badge

      Re: Yeah,

      "Freudian reading?"

      Should have gone to Specsavers.

  4. Aqua Marina

    How do I configure my email client, so that once I’ve configured encrypted emails, it becomes impossible to send me the same text by postal mail?

    1. Brewster's Angle Grinder Silver badge

      It's not that it's sent by post that's the problem. It's that it's sent by an insecure postman (or postwoman). You need to get it sent by an encrypted postie.

      1. phuzz Silver badge

        You should ring up your local mail carrier and ask them if their posties are RFC2595 and/or RFC 3207 compliant.

        Please record your phone call for the rest of us to laugh at study

  5. David Roberts Silver badge
    Windows

    email is so last century

    Sadly, so am I.

    Specifying changes to underlying protocol choices may well leave older email clients high and dry.

    Still mainly using Windows Live Mail although it was put out to grass many years ago.

    Thunderbird keeps getting almost abandoned.

    Bright young things use web mail.

    Whete is the leading edge mail client development to drive these changes forward?

    1. Anonymous Coward
      Anonymous Coward

      Re: email is so last century

      David Harris is apparently still working towards Pegasus email v5 - a major rewrite.

      First issued in 1993 - all 56 releases have maintained compatibility with the user's previous saved emails no matter how old. That will also be the case for v5.

      In the newsletter he coins an interesting measurement of lines of code - 71,500 lines is 1 WaP. Which is based on the length of Tolstoy's book "War and Peace" (Oxford World Classics edition).

      1. LDS Silver badge

        "David Harris is apparently still working towards Pegasus email v5 - a major rewrite."

        Yes, but his rewrites takes so long the time he has finished we'll have IMAP5 and SMTP3 (they'll get SMTP2 wrong, and will release SMTP3 soon after it). He's been talking about version 5 since 2011, at least.

        He was unlucky though, the free email clients first, and later webmail, wiped out his income.

        1. Mike Tubby

          Re: "David Harris is apparently still working towards Pegasus email v5 - a major rewrite."

          I say "Bring Back Euroda" ;-)

          G

      2. Adam 1 Silver badge

        Re: email is so last century

        > - 71,500 lines is 1 WaP. Which is based on the length of Tolstoy's book "War and Peace" (Oxford World Classics edition).

        I have seen a ViewModel with 1.1 WaPs. And not just a bunch of consts or enum declarations either. Yes, I wish I was exaggerating too.

    2. AndrueC Silver badge
      Meh

      Re: email is so last century

      TheBat! is still being developed. Things were a bit quiet last year but in the last two months there have been three updates. Sadly their IMAP engine has a bug that means it occasionally refuses to pull the body down and they've investigated and said they can't fix it. But other than that it works well and it's what I eventually settled on after many years of trying alternatives.

    3. Lysenko

      Re: email is so last century

      Mailbird isn't too bad. Yes, it has the nasty whiff of Electron about it (I haven't checked if it actually is), but it's usable. On Linux, there's Evolution for those who find ThunderBird disagreeable. The only webmail I use is RoundCube (which runs on one of my own servers).

      As for the "bright young things": I thought they all used SnapFarceTwitGram? If you're a narcissistic exhibitionist already, what do you need encrypted communications for? If internet slurp engines can't read and index everything it might be harming your search engine rankings !!! (Hmmm ... business opportunity: SSL/TLS deactivation services marketed as SEO).

      1. Anonymous Coward
        Anonymous Coward

        Re: email is so last century

        "On Linux, there's Evolution for those who find ThunderBird disagreeable."

        Urg... I sent Evolution packing after struggling far too long getting their filtering to work reliably. A shame, actually, as I rather liked their calendar function. Left for Thunderbird. Their filtering works consistently well but it has other warts. Relegating sound-on-new-email to a 3rd party plug-in still has me shaking my head. Especially when they left in all the options to define that sound in Thunderbird itself. Then there's the nifty feature that shows a pop-up not only when new mail arrives but also when I drag I something from the Inbox to another folder--any folder. Fixed by--you guessed it--a 3rd party plug-in. IMHO, KMail put both of those to shame but I grew tired of having a huge number of Akonadi processes consuming every available resource.

        1. Anonymous Coward
          Anonymous Coward

          Re: email is so last century

          > Relegating sound-on-new-email to a 3rd party plug-in still has me shaking my head. Especially when they left in all the options to define that sound in Thunderbird itself.

          What is your desktop environment? On KDE you wouldn't typically configure that at the application level, but you would do it as part of the notifications component of KDE. The application is supposed to let the system know what notifications it may issue and you tell it how you want to be made aware of it, if at all.

    4. Anonymous Coward
      Anonymous Coward

      Re: email is so last century

      > Bright young things use web mail.

      Can't be very bright if they're using a method that requires a persistent connection during the whole receiving / reading / composing / sending process, requires bandwidth use to download the chrome, and has a penchant for losing the contents of your freshly composed email if anything goes wrong with the connection when trying to send.

      OK, all of the above does not *have* to be like that: in theory it is perfectly possible to build an offline email client as a service worker, but to my knowledge none exists today and even if they did, it would be no help to those of us who are on permanent private mode and have disabled local storage and various other functions not compatible with privacy-preserving web browsing.

      And anyway, people have been saying email is last century for the last 17 years. Maybe they should have moved to Wave >:)

      1. Andy Non

        Re: email is so last century

        I still use Thunderturd and POP3 via my own domain. Tried Gmail but it was a pain in the arse. Set it up for POP as I want to work locally and store emails locally, but discovered that I always need to be logged into Google to use it or it bitches about not being logged in when I try to retrieve email, despite having set it up with correct password etc for POP use, or worse, when I try to send an email from POP via my Gmail account it locks up completely and Google thinks my account has been showing suspicious activity and won't let me use it any more. My experiment using Gmail lasted all of an hour. I refuse to be permanently logged into Google in my web browser (presumably so they can keep track of all online activity). F**k that Google.

        1. Charles 9 Silver badge

          Re: email is so last century

          "F**k that Google."

          Then you wonder what's going to happen when you basically learn you MUST submit to Big Brother in order to do anything of value on the Internet anymore. What then? Go back to the Sears catalog?

          1. This post has been deleted by its author

        2. AndrueC Silver badge
          Boffin

          Re: email is so last century

          I still use Thunderturd and POP3 via my own domain. Tried Gmail but it was a pain in the arse.

          I use a combination these days. Android seems determined to Doze no matter what I do and IMAP just isn't Doze compatible. I managed to get it working most of the time but never completely reliably. And when IMAP timed out that was it until I manually restart it. My attempts didn't really work and my phone barely lasted two days between charges.

          I now have my mail server set up to treat my GMail account as an assistant that gets copies of all my emails and have stopped my phone trying to keep up to date with my server. GMail still isn't always instant but at least it eventually notices new emails regardless of how long it's been Dozing.

          And now that I'm allowing Doze to do what it wants my battery only drops .5% an hour and easily lasts five days (currently on day four with 62% charge left).

          So sadly Google wins that battle. But the war is not over, yet :)

          My phone is a Samsung S7 Edge.

          1. Anonymous Coward
            Anonymous Coward

            Re: email is so last century

            > Android seems determined to Doze no matter what I do and IMAP just isn't Doze compatible. I managed to get it working most of the time but never completely reliably. And when IMAP timed out that was it until I manually restart it

            Assuming that by "Doze" you mean entering power saving mode (a mode in which the phone tries to kill anything that is not Gurgle-related "to save battery"), K-9 does an OK job, once you go to the device settings menu and put it on the list of apps that shouldn't be bothered by this "doze" mode.

            1. AndrueC Silver badge
              Unhappy

              Re: email is so last century

              K-9 does an OK job, once you go to the device settings menu and put it on the list of apps that shouldn't be bothered by this "doze" mode.

              Not for me. It was okay for a while in conjunction with an app called 'Disable Doze' but every couple of days it would give up and stop noticing emails. My current setup is working somewhat better and at least my battery life is decent again.

              1. Anonymous Coward
                Anonymous Coward

                Re: email is so last century

                > Not for me. It was okay for a while in conjunction with an app called 'Disable Doze' but every couple of days it would give up and stop noticing emails.

                I am on K-9s latest version from F-Droid and on Android 7-something. No Gurgle account at all on the device and every Gurgle component, including the phone application, has been uninstalled.

                But yes, I do know that other people have had issues.

        3. LDS Silver badge

          "Set it up for POP as I want to work locally and store emails locally"

          IMAP can do that as well, and far better than POP. Especially, with IMAP is far easier to keep different devices (desktop, laptob, tablet, mobe) in sync.

          1. AndrueC Silver badge
            Thumb Up

            Re: "Set it up for POP as I want to work locally and store emails locally"

            It also means that if you have to replace a computer (like I had to replace a laptop I broke) your email client is up to date almost instantly. No need to recover anything from the defunct machine.

            1. DropBear Silver badge
              WTF?

              Re: "Set it up for POP as I want to work locally and store emails locally"

              "It also means that if you have to replace a computer your email client is up to date almost instantly"

              Why would you need IMAP for that? My mail is only archived on Gmail once I POP it, not deleted. I have a full copy. They have a full copy. And there's a Gmail setting called "Enable POP for all mail (even mail that's already been downloaded)" - any new device could slurp down everything to a fresh local POP store and keep going. Also, my mobe can see and search all of it all the time through its Gmail app.

              I know IMAP _can_ mirror things locally - but as far as I know that's not really how you're _supposed_ to be using it; I just can't shake the feeling it's more of a local cache than a proper mailbox, and it might decide to "sync" to an empty folder wiping all my local mail any time something doesn't quite work out. I could be wrong - but I definitely don't enjoy performing edge-of-the-seat pucker-factor-eleven acrobatics just so I can keep doing exactly what I used to do, only imperceptibly differently and with one more sword hanging precariously above my head.

              1. Anonymous Coward
                Anonymous Coward

                Re: "Set it up for POP as I want to work locally and store emails locally"

                > My mail is only archived on Gmail once I POP it, not deleted. I have a full copy.

                He was probably referring to POP3 generically, not to a specific provider's implementation (whose contract may change from one day to the next).

              2. AndrueC Silver badge
                WTF?

                Re: "Set it up for POP as I want to work locally and store emails locally"

                I definitely don't enjoy performing edge-of-the-seat pucker-factor-eleven acrobatics just so I can keep doing exactly what I used to do, only imperceptibly differently and with one more sword hanging precariously above my head.

                As another poster wrote I'm referring to the difference between POP3 and IMAP. With POP you have to restore data to regain access to old emails. With IMAP you don't have to do anything other than enter your server credentials.

        4. vtcodger Silver badge

          Re: email is so last century

          As you say, getting any local email setup other than viewing through a browser to work reliably with gmail is a substantial PITA. I set it up with IMAP rather than POP and it wasn't a lot of fun. And every year to 18 months it breaks until I change some poorly described setting or other at Google. OTOH, it's free,

          I can't conceive that encryption will make the process any less obtuse and fragile.

          One of the many things that trouble me about the let's encrypt everything NOW movement is the common assumption that there is no financial or usability cost. There's nothing in my email that the NSA, Google, and foreign agents aren't welcome to read. But the stuff is useful occasionally. I'f past experience is any guide, encryption is going to cost me time and effort and maybe make me change to a different provider. In what way does that benefit me or anyone else?

          1. Anonymous Coward
            Anonymous Coward

            Re: email is so last century

            > As you say, getting any local email setup other than viewing through a browser to work reliably with gmail is a substantial PITA.

            Then why not just give up gmail? GMX is a very reliable option instead and is a German company, with the corresponding privacy implications.

            Call me weird, but I am queasy about walled gardens.

        5. DropBear Silver badge

          Re: email is so last century

          "Set it up for POP as I want to work locally and store emails locally, but discovered that I always need to be logged into Google to use it"

          No idea what you're talking about. I've been using it with POP3 for over a decade now. Don't recall any issues.

    5. alain williams Silver badge

      Re: email is so last century

      mutt first released 1995, last update was last week. Fast, stable, secure.

    6. Daniel von Asmuth Bronze badge
      Windows

      Re: email is so last century

      What mail client? We send and read e-mail by telnetting to port 25. Encryption is so hard to do manually.

      1. Anonymous Coward
        Anonymous Coward

        Re: email is so last century

        > Encryption is so hard to do manually.

        Not really, but if you insist there is no shame in using a slide rule.

  6. DontFeedTheTrolls
    Boffin

    " an interesting measurement of lines of code - 71,500 lines is 1 WaP. Which is based on the length of Tolstoy's book "War and Peace" (Oxford World Classics edition)."

    One for the Standards Bureau

  7. Charles 9 Silver badge

    Seems another link is needed to ensure the privacy of e-mail, that being transparent encryption that is fully and transparently baked into the protocol and implementation so that even Grandma is using it even if she doesn't realize she's using it.

    1. Bill Gray

      I've wondered about this.

      At the very least, I'd like to have an option wherein each (unencrypted) e-mail I send says at the bottom: "My public key is..." Suitable e-mail clients recognizing that line would ensure that replies were sent encrypted with that key, and included the public key of the person I'd e-mailed.

      At that point, encryption is established at both ends and subsequent messages are end-to-end encrypted.

      Yes, I realize this is highly imperfect. The first message I send isn't encrypted. Nobody is authenticated; I don't know if my correspondent is a dog. (Various things could be "bolted on" to implement perfect forward secrecy and to tell people your private key has been compromised; I've left that out for simplicity.) However, Grandma wouldn't have to know she's using this scheme, and it's immensely better than the current idiocy of doing absolutely nothing.

      A benefit of such a scheme is that it would result in a lot of end-to-end encrypted communication. At present, use of such is probably rare enough to be a useful flag to three-letter agencies: they may not know what you're saying, but it's probably something "subversive". If E2E was everywhere, they might have to engage in actual police work.

      1. LDS Silver badge

        "e-mail I send says at the bottom: "My public key is"

        You can do it already. The issue is you need a key your recipients will trust - encryption without authentication is of little use.

        In Italy there is the "PEC" (certified electronic mail) which is encrypted using certificates issued by the PEC providers. Still, your mail is routed through the provider themselves, and I'm quite sure there are escrow keys available, available to law enforcement agencies.

        Anyway, the main aim of the system is to replace certified mail - sending, receiving and reading is logged and timestamped by the system, so you have a legally proof of anything sent.

        You can already setup end to end encryption using S/MIME or PGP, but you usually, outside corporate environments and maybe deals with partners, there are not widely available directory services able to map keys to users trustfully - you have to do it yourself, and that greatly decrease its usefulness.

        1. Bill Gray

          Re: "e-mail I send says at the bottom: "My public key is"

          "...The issue is you need a key your recipients will trust - encryption without authentication is of little use."

          You have a lot of company in that sentiment. The scheme I describe is -- as I said -- imperfect. All it means is that if I e-mail bobdoe@example.com and get an encrypted reply, further traffic can be read by me and whoever replied.

          Yes, yes, I know... the NSA, GCHQ, etc. may have intercepted the original e-mail and replied, spoofing Bob's e-mail address. I'll think I'm talking to Bob, but I'm really not. But most of us aren't up against the NSA. (Though you and I may be, after they read these comments.)

          The fact that my front door won't resist a battering ram doesn't mean I don't lock it (current e-mail is more analogous to leaving the door open with a "Welcome Thieves" sign). If I'm an NSA target, I'll make sure "Bob" is really "Bob" through some other means, such as talking with him to ask if he got any of my mails. (Actually, if I'm _that_ important a target, I'll have to assume any electronic devices have been hacked from the get-go and will have to resort to paper-and-pencil one-time pads... no matter how paranoid you get, it's hard to keep up.)

          1. Adam 1 Silver badge

            Re: "e-mail I send says at the bottom: "My public key is"

            > Yes, yes, I know... the NSA, GCHQ, etc. may have intercepted the original e-mail and replied, spoofing Bob's e-mail address. I'll think I'm talking to Bob, but I'm really not. But most of us aren't up against the NSA

            It's not only the TLAs that have superpowers over such a scheme. If your email is being sent over plain ol' SMTP, then it would be trivial to both intercept and modify your email and therefore change that header string. I haven't checked, but I'd put money on there being a pre built module for the WiFi pineapple to do this already.

        2. Charles 9 Silver badge

          Re: "e-mail I send says at the bottom: "My public key is"

          "You can do it already. The issue is you need a key your recipients will trust - encryption without authentication is of little use."

          Why trust someone else to hold the key. Make your own key pair and just publish the public keys.

          Now, OK, having multiple devices is an issue, but so is making a key backup. So a method of copying and transferring keys (subject to your authorization) will be needed as well, using USB sticks, bluetooth, or some other means (permanent storage would be encrypted in storage, transfers can be secured with something like DHKE).

          1. LDS Silver badge

            "Why trust someone else to hold the key"

            Not hold the ley. Just validate the key is mine and only mine. Self signed keys are useless. Anybody can generate a pair for any email address.

        3. Anonymous Coward
          Anonymous Coward

          Re: "e-mail I send says at the bottom: "My public key is"

          > encryption without authentication is of little use.

          You cannot say that without fully specifying your problem domain and in particular your threat model.

          Take OTR and opportunistic encryption as examples where we start encrypting before we authenticate, if we ever do.

          1. LDS Silver badge

            Re: "e-mail I send says at the bottom: "My public key is"

            If you encrypt the data with the key of someone who's impersonating someone else, you're just sending data to the wrong recipient. The fact they're encrypted in transit is irrelevant.

            People have been brainwashed they must protect from the NSA intercepting communication, but that's not the only bad actor. If you connect to a phishing site via HTTPS, it's not the NSA that should worry you....

      2. Eddy Ito Silver badge

        Grandma's Gordian knot

        Grandma becomes a problem if she uses multiple devices. Her iPad will need the same keys as the PC and her phone. Sure the server can hold the public key and even include it in the header completely transparently so Grandma never even sees the key in the signature, thus avoiding a potentially extended attempt to explain what a public key is. The issue is the private key; if synchronization during setup and/or migration isn't dead simple then grandma isn't going to handle it when she buys a new $device and it can't be so simple that it's easily hacked. The server could handle the private key also but if it isn't a private server then it really isn't a private key and even if it is a private server it presents another layer of security headaches.

      3. Anonymous Coward
        Anonymous Coward

        > I've wondered about this.

        Autocrypt

        1. Bill Gray

          @AC recommending Autocrypt : thank you. Looks as if they're doing exactly what I describe, except (a) keys are offered through headers rather than in the message body, which makes sense and (b) they've thought through the bits I'd cavalierly waved aside (how to handle group e-mails, for example, and what to do if somebody loses their key or has multiple devices.)

          However, they explicitly state (as I did) that this is "opportunistic" encryption, without all messages encrypted at all times and without a way to authenticate you're who you say you are. It'll make life more difficult for spooks, but not impossible. The idea is not to let the perfect be the enemy of the good. Seems a worthy goal.

  8. Jay 2

    On the subject of email clients I use Thunderbird on the Mac (s'OK I suppose) and Spark on the iOS stuff. Any of the default Apple mail clients drive me to distraction when I try to set them up as they constantly try and second guess what they think I'm after. Just let me put in all the sodding config myself then test it!

    For my sins at work we've got Lotus Notes, of which the saving graces are that it's not as bad as it used to be and it's not actaually a dedicated emaul client as it does loads of other stuff too.

    1. Anonymous Coward
      Anonymous Coward

      > it's not actaually a dedicated emaul client as it does loads of other stuff too.

      Does it have a spell checker?

  9. druck Silver badge
    FAIL

    Plus - NOT!

    Please tell this to PlusNet, 9 years and counting we've been asking for any sort on encryption on email.

  10. DougS Silver badge

    Port 465

    I thought that had been deprecated long ago. So now they are bringing it back? I just tried to enable port 465 in my sendmail.mc by uncommenting the "smtps" line, but when I did so, generated a new sendmail.cf and restarted sendmail it listened on port 465 all right but was no longer listening on port 25. What do I need to do to get it to listen on both?

    1. bombastic bob Silver badge

      Re: Port 465

      I had the same thought [as in 'why is my sendmail NOT listening on 465 right now'].

      found THIS

      1. DougS Silver badge

        Re: Port 465

        Excellent, thank you!

    2. storner
      Trollface

      Re: Port 465

      What you need to do ... may I suggest using an MTA with a sensible configuration language?

      1. DougS Silver badge

        Re: Port 465

        Since I change my config once every few years, and I know sendmail, it isn't worth investing any time in learning a different one even if it is simpler.

  11. s2bu

    *some*

    Some?! You have a very strange definition of SOME!

    I'd say it's fairly obvious that the MAJORITY of email isn't encrypted!!!

    But honestly, just encrypted it on each SMTP hop isn't really true end-to-end encryption. You're still trusting the ISPs on both ends, the same ones that are trying to hijack your DNS, etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: *some*

      > I'd say it's fairly obvious that the MAJORITY of email isn't encrypted!!!

      A fair and very relevant point. The article should say, at least in passing, that it refers to in-transit encryption, not at-rest.

  12. Anonymous Coward
    Anonymous Coward

    Business is Business

    This article and IETF are correct we need better inter-communication encryption for email transport, and more.

    I don't care if you don't encrypt your email from end to end, but I do care that it is encrypted when it is exchanged between client and server and/or between server and server.

    I have been asking Government to provide Self contained National Secure Email service for Australia, It would be good to reduce phishing as the addresses could be monitored. To avoid leaking links to external locations it would be required that images such as logos were embedded in the document using formats such as rtf (Rich text format) or pdf (postscript document format) and an archive format Zip/7zip, Lha/Rar. for attachments, the cover letter/ cover page would be plain text and tell you of the attachments, such as a bill from your energy supplier, simple encryption could be used for obfuscation these simple methods could include zip or pdf password.

    If the end-user chose to further encrypt their documents it would be up to them.

    The point is that in Australia most corporations do not extensively use email for public business communication. Just try to find a Banks or Superannuation's email address for "General Business" or find the CEO's email address. They could have an electronic mail room if they so choose.

    Many companies provide some email access for customer service, often these are squidgy windows without a full page space to write in, whereby you have to log into their website first before you can enter your question or complaint into the box provided. Some provide internal mail and notify you via SMS to your two factor mobile phone number that they have sent you something.

    It is obvious that many of these organisations do not have confidence in these internet systems, while they push their customers into ever more convenient but risky internet access as a substitute for customer service.

    While sometimes I churn my ISP causing my email address and phone number to change, I am sometimes pushed to Yahoo or Google mail products as the ISP doesn't provide email, and so I am left to rely on what ever these free email client and mail products will do.

    1. Charles 9 Silver badge

      Re: Business is Business

      No, I think the big thing (and the reason the paperless office will never come) is the perpetual need for legal paper trails in case police come a-knockin'. It's that way in the US, too. Nothing beats a physical copy. That's why copy papers are still so important.

  13. Mike Tubby
    Mushroom

    Implicit or explicit?

    How is this move to 'implicit' encryption?

    Surely this is 'explicit' encryption since it is directly stated that we are to use encryption (on these ports) to connect to servers?

    G

  14. gnarlymarley
    WTF?

    Who can save us? It's 2018 and some email is still sent as cleartext

    What I do not understand is why would items in the public domain "need" encrypting? Sure, information like heading to the store or personal information or bank transfers needs encrypting. Not everything on planet earth should need encryption.

    If we keep trying to travel down this line of thinking, then government will have no choice but to force backdoors and this will in turn weaken encryption. Sounds to me like our ignorance is what will provide no benefit and in the end will keep us in the current spot we are in, except with an extra fuzzy comfort blanket.

    1. Charles 9 Silver badge

      "What I do not understand is why would items in the public domain "need" encrypting? Sure, information like heading to the store or personal information or bank transfers needs encrypting. Not everything on planet earth should need encryption."

      Yes it does, because every little crumb can be used to facilitate identity theft, and ANYONE's identity can be useful to a thief who simply seeks a cover. And yes, they existed before the Internet as mailbox raiders.

      "If we keep trying to travel down this line of thinking, then government will have no choice but to force backdoors and this will in turn weaken encryption."

      Or simply promote encryption which cannot be done for all the tea in china. Barring that, promote quantum encryption which is physically impossible to break.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019