← Back to context

Comment by bigiain

7 years ago

> STARTTLS is vulnerable to downgrade attacks by mitm.

Not only that, but intentionally downgrading STARTTLS commands has as times been the default configuration for some Cisco routing gear.

(Buy me a beer one day and I might tell you about the time I charged one of Australia's big four banks about $70k to debug that in a router on their internal network that nobody there knew existed...)

Which routers did that? I'm well aware that the ASA firewalls did it ("ESMTP inspection") -- I've disabled that dozens of times -- but I've never heard of a router that did it (by default).