
Measuring SMTP STARTTLS Deployment Quality - ingve
https://yahoo-security.tumblr.com/post/141495385400/measuring-smtp-starttls-deployment-quality
======
atonse
I know everyone uses and understands SMTP but is there any kind of effort
towards an SMTP/2 like with HTTP/2?

Something much more efficient, encrypted by default, less verbose with fewer
round trips?

Sure it's harder to get millions if servers moved, but you'd probably cover
more than half of worldwide email volume with the top 100 email providers?

~~~
marcosdumay
I'm trying to create an improvement [1], but I'm on early stages, and
obviously don't command any big deployment.

Didn't do anything about verbosity, but I'm reducing the round-trips to one
(after the connection is established), making it encrypted by default, and
increasing the use cases of SMTP for replacing things like calendaring and
contact systems.

[1] [https://sealgram.com/](https://sealgram.com/)

------
dfc
> [scanner] did not support deprecated/insecure ciphers and DHE cipher suites,
> nor does it have SSLv3 client side support.

The equivalent of rose colored glasses for SSL/TLS scanning. This is really
unfortunate, the data would have been much more interesting if it helped paint
a picture of the good and the bad.

~~~
jlgaddis
Indeed. I manage mail systems that serve thousands of users and can attest
that there are a _LOT_ of mail systems out there still dependent upon SSLv3,
for example.

