Hello Michiel,

 AI>> Binkp over TLS is secure and provides privacy in a new and robust
 AI>> way.

 MV> Security against what threats and privacy against which snooping eyes?

Actually, TLS is not really new. It started as SSL from a bygone era and TLS is
what we have today. It has and continues to evolve.

Snooping eyes are everywhere. They are unseen doing I don't know what. We have
the technology and I suggest we use it. It already exists so we don't have to
develop anything at all, we just need to support it.

 MV> The biggest potential invasion of privacy in Fidonet are sysops
 MV> snooping om in transit mail. TLS does not protect against that.

That is true. We could (and I'm surprised we haven't) develop a way to encrypt
tansit mail if we wanted too.

Mystic does this. It has support for this by using an AES256 encryption key
between links. If Mystic operators use this feature netmail between nodes is
encrypted. I think this all happens when tossing so it (or something like it)
could be used in Fidonet generally if the software supports it. I'm not sure if
that would be better implemeted in the mailer or tosser. Probably the tosser.

 MV> The best strategy against snooping governments is to not be of
 MV> interest. I doubt TLS is safe against the resources of governments.

TLS is open source. Governments could outlaw it if they wanted to raise the ire
of the people but I don't think that is going to happen.

 AI>> It's a natural movement forward.

 MV> Binkd already has build in encryption. I do not think the added value
 MV> of TLS is worth the effort and overhead. Not for Fidonet...

That was a very good addition that the binkd developers added to binkd at the
time. It was powerful and ahead of it's time. That must have been twenty years
ago when SSL was not largely known or easy to implement.

That algorithm was also cracked about 20 years ago. It's still better than
nothing but TLS would be a good addition today. The crypt option does not
provide security today.

 AI>> It's not easy to do in all mailers, but if it was and it was
 AI>> supported and available by your links and your own mailer would
 AI>> you use it?

 MV> I don't know. If I'd have to go through the hassle of getting a
 MV> certificate and pay for it and renew it every tweo years, probably
 MV> not. And I do not trust LetsEncrypt.

It's possible to use a self signed certificate. I don't know the ramifications
of a self signed certificate vs letsencrypt but it might provide the security
and privacy we need.

Currently I use a certificate from letsencrypt.

 Ttyl :-),
         Al

--- GoldED+/LNX