Many cloudy environments end up economizing on IP addresses. That means that there will be loads of neighbours, not all of them will be your mates. Once you have found a way in via another method, you now have this weapon to deploy. STARTTLS is massively used to secure internal comms as a (cough) "best practice". The article notes email related protocols but AD via LDAP is often accessed via port 389 with STARTTLS.
You may not be familiar with Hanno - he's been around for a while and knows what he is on about.
I'm not sure which real world you inhabit. This is quite horrendous.
(I'm not sure why "implicit" is used instead of "explicit" for full on TLS over STARTTLS. I suspect English as a foreign language).
"Explicit" is to be understood as asking for STARTTLS on OSI Level 7 instead of Level 4. If the client cannot establish an encrypted connection, the attempt is aborted in the first place. Of course, there is the hazard as in HTTPS that an MITM attacker might somehow cause a downgrade to the unencrypted protocol variant.
as a civilian, if cloud compute server conditions internally result in exposing some mid-transaction packet insertion problem as a real thing, AND that in turn justifies some massive re-deployment of new network drivers stacks to the detriment of just about everybody's gray hairs and finite hours in the day, then actually screw that, with emphasis.
Your keyboard should have at least two shift keys. We are generally all civilians (both of my parents were soldiers - I'm not but I did love growing up in West Germany, funny old world).
This is yet another CVS and as I happen to be the MD of an IT company, I take it seriously. It is a bit of a pain having to patch a lot of systems every month and fiddle with firewall rules in response to notes and more besides.
I don't intend to feature in an el Reg or HN article. I've been lucky so far.
> STARTTLS is massively used to secure internal comms as a (cough) "best practice"
Well, I've seen it be a "best practice", because of some legacy component that only supported ldap with starttls or plaintext. It wasn't so much "starttls is great" as "starttls is the best we can do right now".
You may not be familiar with Hanno - he's been around for a while and knows what he is on about.
I'm not sure which real world you inhabit. This is quite horrendous.
(I'm not sure why "implicit" is used instead of "explicit" for full on TLS over STARTTLS. I suspect English as a foreign language).