Skip to Content [alt-c]
In reply to Comment by Reader Charles
The client has to know that the server supports TLS somehow. Someone else mentioned DNSSEC+DANE, but that's not widely deployed and it's questionable whether it ever will be.
In practice the way it works with mail clients is you tell it when configuring your account. For example Thunderbird has a drop-down box called "Connection Security" with the options "None", "STARTTLS", and "SSL/TLS". (Many mail clients have something similar.) The concern is that the "STARTTLS" would be vulnerable to the downgrade attack, while "SSL/TLS" wouldn't be. (Note: I'm extremely confident Thunderbird does this correctly. The concern is with other, less widely used software.)
Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.
Your Name: (Optional; will be published)
Your Email Address: (Optional; will not be published)
Your Website: (Optional; will be published)
>
monospaced
Post a Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.