
Lavabit Security Misconfiguration - mike-cardwell
https://www.grepular.com/Lavabit_Security_Misconfiguration
======
MichaelGG
Shouldn't it be using IMAPS instead of STARTTLS anyways?

~~~
Bino
I always favor STARTTLS in favor of implicit. I say so since implicit TLS on
SMTP (465) is deprecated.

~~~
MichaelGG
Why? What benefit is there in starting plaintext, and as the post shows,
allowing clients to transmit credentials?

And is IMAPS deprecated? Not that it matters -- the IETF or IANA deprecating
something or unassigning a port is not really much of a justification.

~~~
Bino
It was unnecessary to split the protocol into two ports when STARTTLS came
along shortly after. As for myself, I also thinks it's nice that you can
partly identify the usage of a port by connecting to it.

[https://en.wikipedia.org/wiki/SMTPS](https://en.wikipedia.org/wiki/SMTPS)

~~~
MichaelGG
Still doesn't address sending credentials plaintext or what benefit this has,
at all. Adds another roundtrip for no benefit. Using TLS doesn't change the
identification, just requires a few packets to be exchanged; not a huge deal.

So again, how did Lavabit help its customers by not forcing TLS for IMAP?

------
floatingatoll
I'd love to know more about why this was considered insufficient to qualify
for industry-common disclosure practices while simultaneously described as a
'Security' misconfig.

If it's a security issue, then responsible disclosure.

If it's not a security issue, then it's not 'Security'.

Right?

~~~
tptacek
There's no such thing as "responsible disclosure".

The term is an Orwellian scheme to promote vendor interests as if they were
naturally shared by researchers and users.

This is a pretty boring discussion to be having on a thread about a new
vulnerability. Better that we should be talking about the impact of the
finding itself.

~~~
floatingatoll
"Until they became conscious they will never rebel, and until after they have
rebelled they cannot become conscious."

