←back to thread

SSH3: Faster and rich secure shell using HTTP/3

(github.com)
532 points tempaccount420 | 5 comments | 27 Sep 25 14:27 UTC | HN request time: 0s | source
Show context
temp0826 ◴[27 Sep 25 15:22 UTC] No.45396500[source]
I don't know why it makes me a little sad that every application layer protocol is being absorbed into http.
replies(9): >>45396579 #>>45396700 #>>45396749 #>>45396886 #>>45396904 #>>45398062 #>>45398924 #>>45400059 #>>45421671 #
zenmac ◴[27 Sep 25 15:59 UTC] No.45396904[source]
Yeah we got those good old network ppl or their corporate (don't knows much about tech) overlord to thank for that.

If you ever using wifi in the airport or even some hotel with work suite unit around the world, you will notice that Apple Mail can't send or receive emails. It is probably some company wide policy to first block port 25 (that is even the case with some hosting providers) all in the name of fighting SPAM. Pretty soon, 143, 587, 993, 995.... are all blocked. Guess 80 and 443 are the only ones that can go through any firewalls now days. It is a shame really. Hopefully v6 will do better.

So there you go. And know EU wants to do ChatControl!!!! Please stop this none-sense, listen to the people who actually knows tech.

replies(3): >>45397051 #>>45400087 #>>45402553 #
1. Telemakhos ◴[27 Sep 25 16:12 UTC] No.45397051[source]
Port 25 is insecure and unencrypted; EU doesn't even need ChatControl to hoover up that data, and you'd better believe anything going through an airport wifi router unencrypted is being hoovered by someone no matter what jurisdiction you're in. Apple mail prefers 587 for secure SMTP and 993 for secure IMAP.

People were (wisely) blocking port 25 twenty years ago.

replies(4): >>45397501 #>>45398102 #>>45402539 #>>45403013 #
2. zenmac ◴[27 Sep 25 17:02 UTC] No.45397501[source]
Ah thanks for the correction. Just changed my post above to 587. What I mean is why block all the ports, just keep it open let the user decide if they want to use it. And linux people can always use ufw on their side to be safe. Back in the dot com days, there were people also using telnet, but that got changed to ssh.

Is it because it is hard to detect what type of the request that is being sent? Stream vs Non Stream etc?

3. Fnoord ◴[27 Sep 25 18:10 UTC] No.45398102[source]
> People were (wisely) blocking port 25 twenty years ago.

20 years ago (2005) STARTTLS was still widely in use. Clients can be configured to call it when STARTTLS isn't available. But clients can also be served bogus or snake oil TLS certs. Certificate pinning wasn't widely in use for SMTP in 2005.

Seems STARTTLS is deprecated since 2018 [1]

Quote: For email in particular, in January 2018 RFC 8314 was released, which explicitly recommends that "Implicit TLS" be used in preference to the STARTTLS mechanism for IMAP, POP3, and SMTP submissions.

[1] https://serverfault.com/questions/523804/is-starttls-less-sa...

4. lxgr ◴[28 Sep 25 07:52 UTC] No.45402539[source]
The main problem with port 25 isn't that it's unencrypted, but rather that it's mixing two two concerns: (Often unauthenticated) server-to-server mail forwarding, and (hopefully always authenticated, these days) client-to-server mail submission.

A network admin can reasonably want to have the users of their network not run mail servers on it (as that gets IPs flagged very quickly if they end up sending or forwarding spam), while still allowing mail submission to their servers.

5. blueflow ◴[28 Sep 25 09:33 UTC] No.45403013[source]
Port 25, which you call insecure and unencrypted, is using the same protocol as port 587, which you call secure - SMTP with STARTTLS.