lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201008250930.o7P9UHts014646@leija.fmi.fi>
Date: Wed, 25 Aug 2010 12:30:17 +0300 (EEST)
From: Kari Hurtta <hurtta+bugtraq@...ja.mh.fmi.fi>
To: Holger Rabbach <hrabbach@...ssroad-networks.com>
Cc: Kari Hurtta <hurtta+bugtraq@...ja.mh.fmi.fi>,
	bugtraq@...urityfocus.com
Subject: Re: Web Tool Announcement: ismymailsecure.com

Holger Rabbach <hrabbach@...ssroad-networks.com>: (Wed Aug 25 11:39:07 2010)
[ Charset ISO-8859-1 converted... ]
> Hi Kari,
> 
> it does not - yet. This is actually what I'm working on at the moment.
> However, since most MTAs at the moment don't do this kind of check, it
> is not very useful. So the tool currently only checks for encryption
> capabilities, it does *not* check for protection against MiTM attacks.
> The next, enhanced version of the tool will have an optional check for
> this and also the supported ciphers.
> 
> Holger

And because mail server name and email address does not need to be any
connection also checking of signature of certificate agaist CA does not
help much. It does not protect attack agaist MX records on DNS.

> On 25/08/2010 09:59, Kari Hurtta wrote:
> > Holger Rabbach <hrabbach@...ssroad-networks.com>: (Wed Aug 18 12:59:19 2010)
> > [ Charset ISO-8859-1 converted... ]
> >> Dear Bugtraq community,
> >>
> >> I am happy to announce the immediate availability of a web based email
> >> security testing tool at http://www.ismymailsecure.com. The tool is an
> >> end-user friendly way to determine if the mail servers for a certain
> >> email address support the STARTTLS capability to encrypt the email
> >> transfer between servers. While most email providers have frontends that
> >> use encryption, the actual email transfers via SMTP are often not secure
> > 
> > It seems not check if certificate returned is signed by trusted CA.

/ Kari Hurtta

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ