TID: FMail-W32 2.1.3.7-B20170919   
   RFC-X-No-Archive: Yes   
   TZUTC: 0200   
   CHRS: CP850 2   
   MSGID: 2:280/5555 5eb11e20   
   REPLY: 1:153/757 5eaf15d4   
   Hello Alan,   
      
   On Sunday May 03 2020 11:39, you wrote to me:   
      
    MV>> Security against what threats and privacy against which snooping   
    MV>> eyes?   
      
    AI> Actually, TLS is not really new. It started as SSL from a bygone era   
    AI> and TLS is what we have today. It has and continues to evolve.   
      
   I know TLS is not new.   
      
    AI> Snooping eyes are everywhere. They are unseen doing I don't know what.   
    AI> We have the technology   
      
   Do we? Or do we just think we have? If you do not know against what or who you   
   are protecting, how do you know the defence is effective. Or if it is working   
   at all?   
      
    MV>> The biggest potential invasion of privacy in Fidonet are sysops   
    MV>> snooping om in transit mail. TLS does not protect against that.   
      
    AI> That is true. We could (and I'm surprised we haven't) develop a way to   
    AI> encrypt tansit mail if we wanted too.   
      
   We already have that for 25 years. I aleady used PGP to encrypt netmail in the   
   mid nineties. I wrote a utility for it that scanned *.msg for cerain strings   
   and call PGP to encrypt the text. The problem was that few sysops would route   
   encrypted mail....   
      
    AI> Mystic does this. It has support for this by using an AES256   
    AI> encryption key between links. If Mystic operators use this feature   
    AI> netmail between nodes is encrypted. I think this all happens when   
    AI> tossing so it (or something like it) could be used in Fidonet   
    AI> generally if the software supports it. I'm not sure if that would be   
    AI> better implemeted in the mailer or tosser. Probably the tosser.   
      
   Probably a dedicated utility like my IMCRYPT.   
      
    MV>> The best strategy against snooping governments is to not be of   
    MV>> interest. I doubt TLS is safe against the resources of governments.   
      
    AI> TLS is open source.   
      
   These days open source is no guarantee that you know exactly what is going on.   
   There is too much under the hood...   
      
    AI>  Governments could outlaw it if they wanted to   
      
   But they don't. so I suspect they heve already cracked it or have other ways   
   to circumvent.   
      
    AI> raise the ire of the people but I don't think that is going to happen.   
      
    AI>>> It's a natural movement forward.   
      
    MV>> Binkd already has build in encryption. I do not think the added   
    MV>> value of TLS is worth the effort and overhead. Not for Fidonet...   
      
    AI> That was a very good addition that the binkd developers added to binkd   
    AI> at the time. It was powerful and ahead of it's time.   
   [..]   
    AI> That algorithm was also cracked about 20 years ago. It's still better   
    AI> than nothing but TLS would be a good addition today. The crypt option   
    AI> does not provide security today.   
      
   I know it is not perfect. But so are the locks on my house. They are not   
   perfect. They will not stop a sufficiently equiped and determined intruder.   
   But it will stop enough.   
      
    AI>>> It's not easy to do in all mailers, but if it was and it was   
    AI>>> supported and available by your links and your own mailer would   
    AI>>> you use it?   
      
    MV>> I don't know. If I'd have to go through the hassle of getting a   
    MV>> certificate and pay for it and renew it every tweo years,   
    MV>> probably not. And I do not trust LetsEncrypt.   
      
    AI> It's possible to use a self signed certificate.   
      
   That is the equivalent of someone saying "trust me". I never trust people who   
   say that.   
      
    AI> I don't know the ramifications of a self signed certificate vs   
    AI> letsencrypt but it might provide the security and privacy we need.   
      
    AI> Currently I use a certificate from letsencrypt.   
      
   I don't trust LetsEncrypt. For a variety of reasons. What is their bussines   
   model? If ot sounds to good to be true it usually isn't. Plus that it is a US   
   compamy, subject to the Patriot Act.   
      
   A couple of years ago a Dutch company issuing certaificates was hacked. All   
   the cerificates were compromised. Google for DigiNotar.   
      
   Anyway, binkd over TLS is not on mt wish list. I'd prefer it if the developers   
   spend theiir time and energy on other issues.   
      
   Cheers, Michiel   
      
   --- GoldED+/W32-MSVC 1.1.5-b20170303   
    * Origin: http://www.vlist.eu (2:280/5555)   
   SEEN-BY: 1/123 90/1 120/340 601 220/50 226/30 227/114 702 229/100   
   SEEN-BY: 229/101 200 426 664 1014 240/5832 249/109 307 317 292/854   
   SEEN-BY: 342/200   
   PATH: 280/5555 464 229/101 426