asked 2014-06-04 16:46:29 +0300
When creating an email account, one can choose from 3 options: no encryption ;), SSL and TLS. Where is StartTLS? Is it used by default or does it depend on the port i use? How can I assure that encryption is enforced?
answered 2014-06-04 20:29:59 +0300
@nthn is right, TLS is startTLS and SSL is SSL/TLS. I will ask from our developers about dropping the connection if startTLS is filtered out by the server end.
answered 2014-06-04 21:58:53 +0300
@nthn - If the server advertises StartTLS, a encrypted connection is done after the capabilities are listed, if that connection is downgraded in server side it will be dropped in the client side, but if you try to connect to a server not supporting StartTLS while this option is select, it will continue using a plain socket, see code below:
If you want to make sure that encryption is in place, you must select SSL, naming is a bit confusing atm, is like tigeli says above, next update will fix the naming :)
Asked: 2014-06-04 16:46:29 +0300
Seen: 315 times
Last updated: Jun 04 '14
I always assumed the TLS option was StartTLS, and the SSL option was SSL/TLS. I may be wrong.
nthn ( 2014-06-04 18:50:20 +0300 )editHmm yeah i found a comment on TMO (http://talk.maemo.org/showthread.php?t=90037&p=1342121) stating this, but no documentation. If TLS includes StartTLS and SSL includes also TLS this is misleading. StartTLS can be misused to degrade the connection and thus undermine encryption efforts (as o2 Telefonicá did in Germany: http://www.heise.de/security/meldung/Eingriff-in-E-Mail-Verschluesselung-durch-Mobilfunknetz-von-O2-206233.html). That' why i just want to know how i can enforce SSL/TLS and block the use of StartTLS.
mgbler ( 2014-06-04 19:33:08 +0300 )edit