From: David Woolley <email@example.com> Message-Id: <199803081053.KAA11144@djwhome.demon.co.uk> To: firstname.lastname@example.org (Phil Peterson) Date: Sun, 8 Mar 1998 10:53:27 +0000 (GMT) Cc: email@example.com, uri@Bunyip.Com, firstname.lastname@example.org In-Reply-To: <35019BEB.A9694780@netscape.com> from "Phil Peterson" at Mar 7, 98 11:11:39 am Subject: Re: LYNX-DEV problem with 'news' url draft Phil Peterson wrote: > There is, as Keith Moore suggested, a trend towards negotiating TLS > using the protocol itself. An implementation has been suggested for SMTP > in draft-hoffman-smtp-ssl-05.txt. While our NNTP/SSL support predates > this trend, it seems to me that TLS can be autodetected and does not, in > general, require more ports to pass through the firewall. This requires > additional syntax in each protocol, and maybe the NNTPEXT group will > consider that for NNTP. The original issue I was thinking of is the sort of scenario where the management of a company calls in a security consultant who tells them that permitting clear text through their firewall is undesirable and that they should block most clear text ports. I think this sort of thing does happen where the power doesn't lie with the people with technical understanding; the management wants to play safe without understanding the issues. In that sort of case you would need an application level firewall to selectively block unencrypted traffic. The other issue relates to local cacheing and proxying. Although you could have a server which opened an SSL/TLS trasnparent relay on detecting a secure session, the legal issues involved would tend to force that to be a commercial product (remember that this is on the mailing list for a freeware browser).