Hello Alan,

On Sunday May 03 2020 11:39, you wrote to me:

 MV>> Security against what threats and privacy against which snooping
 MV>> eyes?

 AI> Actually, TLS is not really new. It started as SSL from a bygone era
 AI> and TLS is what we have today. It has and continues to evolve.

I know TLS is not new.

 AI> Snooping eyes are everywhere. They are unseen doing I don't know what.
 AI> We have the technology

Do we? Or do we just think we have? If you do not know against what or who you
are protecting, how do you know the defence is effective. Or if it is working
at all?

 MV>> The biggest potential invasion of privacy in Fidonet are sysops
 MV>> snooping om in transit mail. TLS does not protect against that.

 AI> That is true. We could (and I'm surprised we haven't) develop a way to
 AI> encrypt tansit mail if we wanted too.

We already have that for 25 years. I aleady used PGP to encrypt netmail in the
mid nineties. I wrote a utility for it that scanned *.msg for cerain strings
and call PGP to encrypt the text. The problem was that few sysops would route
encrypted mail....

 AI> Mystic does this. It has support for this by using an AES256
 AI> encryption key between links. If Mystic operators use this feature
 AI> netmail between nodes is encrypted. I think this all happens when
 AI> tossing so it (or something like it) could be used in Fidonet
 AI> generally if the software supports it. I'm not sure if that would be
 AI> better implemeted in the mailer or tosser. Probably the tosser.

Probably a dedicated utility like my IMCRYPT.

 MV>> The best strategy against snooping governments is to not be of
 MV>> interest. I doubt TLS is safe against the resources of governments.

 AI> TLS is open source.

These days open source is no guarantee that you know exactly what is going on.
There is too much under the hood...

 AI>  Governments could outlaw it if they wanted to

But they don't. so I suspect they heve already cracked it or have other ways to
circumvent.

 AI> raise the ire of the people but I don't think that is going to happen.

 AI>>> It's a natural movement forward.

 MV>> Binkd already has build in encryption. I do not think the added
 MV>> value of TLS is worth the effort and overhead. Not for Fidonet...

 AI> That was a very good addition that the binkd developers added to binkd
 AI> at the time. It was powerful and ahead of it's time.
[..]
 AI> That algorithm was also cracked about 20 years ago. It's still better
 AI> than nothing but TLS would be a good addition today. The crypt option
 AI> does not provide security today.

I know it is not perfect. But so are the locks on my house. They are not
perfect. They will not stop a sufficiently equiped and determined intruder. But
it will stop enough.

 AI>>> It's not easy to do in all mailers, but if it was and it was
 AI>>> supported and available by your links and your own mailer would
 AI>>> you use it?

 MV>> I don't know. If I'd have to go through the hassle of getting a
 MV>> certificate and pay for it and renew it every tweo years,
 MV>> probably not. And I do not trust LetsEncrypt.

 AI> It's possible to use a self signed certificate.

That is the equivalent of someone saying "trust me". I never trust people who
say that.

 AI> I don't know the ramifications of a self signed certificate vs
 AI> letsencrypt but it might provide the security and privacy we need.

 AI> Currently I use a certificate from letsencrypt.

I don't trust LetsEncrypt. For a variety of reasons. What is their bussines
model? If ot sounds to good to be true it usually isn't. Plus that it is a US
compamy, subject to the Patriot Act.

A couple of years ago a Dutch company issuing certaificates was hacked. All the
cerificates were compromised. Google for DigiNotar.

Anyway, binkd over TLS is not on mt wish list. I'd prefer it if the developers
spend theiir time and energy on other issues.

Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303