Hacker News new | past | comments | ask | show | jobs | submit login

Given gmail's volume that would pretty much make it a requirement for all other mail services. A mandatory STARSTTLS would make me happy!



How mandatory STARTTLS (on Google servers' side) would help you against MitM downgrade attack?

The only way to avoid it is for your MUA to require STARTTLS.


Or for the server to terminate the connection if STARTTLS is not requested


Yes, but how that'd prevent the attack?

The active attacker may tell your MUA to use the plain text, but this doesn't mean the whole connection must be unencrypted end-to-end. I don't see why the connection past the attacker can't still use STARTTLS (or even "classic" port-based TLS). Google servers won't even know the connection is not secured end-to-end.

That said, requiring TLS/STARTTLS on the server side is a good idea. But it doesn't protect from downgrade attacks.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: