[Cialug] Dumb. Dumb Security.

Michael Davis mpdavis at iastate.edu
Mon Aug 20 17:47:37 CDT 2012 

While their response is a bad one, you probably aren't talking to a
developer.  More than likely you are talking to someone in PR or marketing
that had a 5 minute conversation with a developer and doesn't fully
understand what is going on.  This can be made even worse by the fact that
the developer may not have seen your actual question, and is answering what
the PR/marketing person thinks you were asking.  It can end up being a big
game of telephone that gets messy quick.

It does sound like you have the option to not receive emails, why is that
not an option?  The website says that the software is in beta, so if you
feel like the software is worth it, I would continue paying for the
service, but forgo emails for the time being.  If enough people ask for
emails without account balances, I am sure it will be a feature shortly.
 This assumes that you are comfortable with the rest of the service.

Michael Davis
Software Engineering - Iowa State University
WebFilings Software Development Intern
IASG Treasurer



On Mon, Aug 20, 2012 at 5:20 PM, Nicolai <nicolai-cialug at chocolatine.org>wrote:

> On Mon, Aug 20, 2012 at 03:44:11PM -0500, Todd Walton wrote:
> > "Given the ubiquity of encrypted email we've not spent the time to
> > offer finer control of email preferences.
>
> The Postfix documentation disagrees:
>
>  "Despite the potential for eliminating "man-in-the-middle" and
>   other attacks, mandatory secure server certificate
>   verification is not viable as a default Internet mail delivery
>   policy. Most MX hosts do not support TLS at all, and a
>   significant portion of TLS enabled MTAs use self-signed
>   certificates, or certificates that are signed by a private
>   certificate authority."
>
>   http://www.postfix.org/TLS_README.html
>
> (Nevermind rampant security problems in OpenSSL!)
>
> A few months ago there was a thread on the mailop list about SSL/TLS
> versions seen in mail service, and 4 people posted breakdowns showing
> enough mail to suggest a wide variety of mail traffic.  Of those 4, 2
> reported 10-12% of outbound mail (thus not affected by spambots) to use
> SSL/TLS.  Another reported 24% and the last 60%, which seems high.
>
> So yeah, not many receivers can accept mail over SSL/TLS, and many of
> those who do use self-signed certs.  So again, this is funny:
>
> > "Given the ubiquity of encrypted email we've not spent the time to
> > offer finer control of email preferences.
>
> Ubiquity... they don't know what they're talking about.
>
> Nicolai
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>

More information about the Cialug mailing list