|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
View Poll Results: Should fast mail better secure incoming email? | |||
I am not sure or I don’t know enough to say. | 7 | 50.00% | |
Yes, I don’t like people intercepting, modifying or spying on me/my email messages. | 5 | 35.71% | |
Maybe. Implement test mode for now. Then upgrade to enforcement mode if all goes well. | 2 | 14.29% | |
No. (Why?) | 0 | 0% | |
Voters: 14. You may not vote on this poll |
|
Thread Tools |
22 Apr 2019, 03:37 AM | #1 |
The "e" in e-mail
Join Date: Jan 2002
Location: San Francisco
Posts: 2,458
|
Should fastmail opt into strict transport layer security mode?
Should fastmail opt into strict transport layer security mode? See RFC 8461. MTA-STS (full name SMTP Mail Transfer Agent Strict Transport Security) is a ~10-month-old standard that aims to improve the security of SMTP by enabling domain names to opt into strict transport layer security mode ...
I just opted in my own domains and subdomains and fastmail subdomains. That is, <munged>.com, <munged.munged>.com, <munged>sent.com, <munged>.mm.st. It was my popular previous thread regarding whether the logs showed whether content to certain domains was encrypted or not (op cit) and this fastmail blog post that got me energized : Getting STARTTLS Everywhere TECHNICAL 27 June 2018 / Helen Horstmann-Allen (fastmail COO) https://fastmail.blog/2018/06/27/let...ls-everywhere/ This won’t (well, shouldn’t) cause any problems (other than for those trying to spy on email traffic). ( for example: When servers that don’t understand MTA-STS try and send email to fastmail it will still be accepted.) PS I’m surprised that MTA-STS policy can be defined only on a per recipient domain basis, but not on a per receiving SMTP server name basis, which would require much less setup and maintenance work, but at the cost of reduced policy granularity choice. PPS I’m guessing there’s no DanE support yet. Last edited by elvey : 22 Apr 2019 at 03:46 AM. |
24 Apr 2019, 01:39 PM | #2 |
The "e" in e-mail
Join Date: Jan 2002
Location: San Francisco
Posts: 2,458
|
More votes, please!
|
30 Apr 2019, 12:04 PM | #3 |
Senior Member
Join Date: Feb 2008
Location: European Union
Posts: 184
|
I would not worry too much about it, since Fastmail is an Australian company, their government could ask one of FM employees to introduce a backdoor before MTA-STS takes place or make it buggy, and if that is not possible they can ask the employee to write a piece of code to make it possible or give him a USB thumbdrive with malware to run it on the server.
If you are so worried about privacy it is best to pick a company not in Australia, somewhere employees can not be forced to act in secret behind the management back to introduce a backdoor, which is the current power Australian law enforcement has. This is unheard of even in the USA or UK and those countries are not exactly the most privacy friendly in the World, which tells you what a bad idea is to pick an Australian company for privacy. And before you say that you are not likely to attract law enforcement attention, let me remind you that backdoors can be exploited by anybody, not just law enforcement. Last edited by malcarada : 1 May 2019 at 01:26 AM. |
2 May 2019, 11:09 AM | #4 |
The "e" in e-mail
Join Date: Jan 2002
Location: San Francisco
Posts: 2,458
|
Really? I recall Fastmail has a blog post that, as i recall, doesn’t square with what you’re claiming. As I recall, because the server hosting is not in Australia but the company is, and fastmail is not more accommodating of legal demands then it has to be, privacy is unusually good (but by no means lavabit-good). Have you seen that post or posts?
Also I think you’re mistaken at least one sense because thee case of lavabit shows that in the US companies can receive enforceable secret orders to compromise email privacy. Do you have any sources to support your claim? Last edited by elvey : 2 May 2019 at 03:49 PM. |
3 May 2019, 08:11 AM | #5 |
Junior Member
Join Date: Nov 2014
Posts: 8
|
Even if the Australian government can compel Fastmail to install a backdoor to exfiltrate secured SMTP traffic, they probably wouldn't go through that length. But at the same time you shouldn't dismiss the "worst case scenario," because at some point in history mass surveillance on the Internet was considered hysteria/conspiracy theory territory which was unequivocally proved wrong.
In any case, MTA-STS is an improvement over the current posture of SMTP TLS interconnect by adding a stronger element of trust/authentication. It mitigates the threat of bad actors and MITM attacks for fairly negligible overhead/cost. There's probably never really been an attack in the wild of a rogue SMTP server masquerading as a legitimate entity, but it's just another way to keep servers/systems honest. To me, it's a no brainer, implement it. Probably not that important to expedite though. |
3 May 2019, 11:03 AM | #6 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,926
|
Was this thread inspired by this news about Gmail becoming the first major email provider to add MTA-STS support?
https://betanews.com/2019/04/12/gmai...tls-reporting/ https://www.zdnet.com/article/gmail-...tls-reporting/ Bill |
5 May 2019, 11:45 PM | #7 | |
Senior Member
Join Date: Feb 2008
Location: European Union
Posts: 184
|
Quote:
I think you are mistaken too comparing the lavabit case with the Australian law that can force employees to plant backdoors in the infrastructure and the law in the US where the CEO gets a gagging order and then he decides if he wants to comply with it or not, if Lavabit had been in Australia the CEO would have never known about any backdoor, law enforcement could have asked one of his employees to plant it and demand he doesn´t say anything to his boss. I stand by my comment, the Australian law that can force employees to act behind the back of their bosses is unheard of in the US or UK. Not sure if China or Iran have any equivalent, but other surveillance states like UK, they do not have that kind of power. Last edited by malcarada : 5 May 2019 at 11:51 PM. |
|
6 May 2019, 05:11 AM | #8 | |
The "e" in e-mail
Join Date: Jan 2002
Location: San Francisco
Posts: 2,458
|
Quote:
I'm not entirely convinced, @malcarada; I think we're both partly right; good discussion. Last edited by elvey : 6 May 2019 at 05:23 AM. Reason: mention gmail not reading emails anymore. |
|
Thread Tools | |
|
|