36C3 preroll music Herald: Now for the next talk, he has worked for six years in the field of cryptography for the uni Karlsruhe - Oots. Applause Oots: OK, so thanks for the introduction and welcome to my talk. As our Herald just said, I've been working in the area of cryptography for the better part of the last six years. And I noticed that many people today have kind of a mental image of what cryptography is and what encryption is. But sometimes this mental image does not really coincide with what is actually going on. So I wanted to give an introductory talk to cryptography that is available to a broad audience. So to an audience that does not have any prior exposure to cryptography and maybe even to an audience that does not have a background in maths or computer science. So as I said before, this talk is specifically aimed at a non-technical audience, even though it's 36C3. We probably have a fairly technical audience. And this is a foundation's talk. So I will not be speaking about fancy research or cutting edge results. I will be talking about the plain basics. Okay. So apart from working in cryptography, I enjoy doing applied cryptography, number theory and pwning, so exploiting all kinds of memory, corruption, bugs and programs. Okay. This is a picture of my parents' cat. Just because every talk should have pictures of cats in them. And this is – applause Thanks. So this is my checklist for this talk. The first item I think we already did that. And so for the remainder of the talk, I want to explain what encryption is, what it does and what it does not do. I want to explain authentication, which is some ... which fixes a problem that encryption does not solve. I want to explain certificates because they help a lot with both encryption and authentication. And in the end, I want to explain a little how the things that I'm going to introduce work together and can be combined to build more useful things. Okay. So let's start with the first point here. I would like to explain encryption. So encryption is basically a solution to a problem. So let's talk about the problem we have before we get to the solution. The problem here is or one of the classical problems is that two parties want to communicate. So we cryptographers commonly call them Alice and Bob and Alice wants to send a message to Bob. So in this case, it's just a very stupid message. Just a simple hello. But cryptography has been used in diplomacy and military for hundreds of years. So imagine that this message is something more critical. And the problem we want to solve is that there might be an eavesdropper who is wanting to listen in on the connection and read the message, read the content that is being sent from Alice to Bob. And what some people think how cryptography works is something like the following, which is kind of close to the real thing, but not really, is that Alice applies some kind of encryption procedure to her plain text message to produce some random unintelligible gibberish, which we call the cipher text. And then Alice sends the cipher text to Bob. And Bob has the decryption procedure, knows how to decrypt. So to invert the encryption procedure and recover the plain text message. And now the point that some people get wrong is some people think that the knowledge how to decrypt is actually secret. But that is not true today. So in 1883, a person named Auguste Kerckhoffs formulated a couple of principles that ciphers used for military applications should adhere to, and one of these. And one of these requirements became well- known as Kerckhoffs principle and it reads "A cipher should not require secrecy and it should not be a problem if the cipher falls into enemy hands". So rephrasing this a little, the cipher that you are using should be secure enough that you can even tell your enemy or the attacker how the encryption process is working and how the decryption process is working without harming the security of the encryption. Or to rephrase this yet another time, if the cipher you are using is so insecure that you cannot tell anyone how it works, then maybe you shouldn't be using it in the first place. So let's get back to this image. So now, if the attacker knows how to decrypt the message, then obviously this very simple scheme does not yield anything useful. And so what people did is people introduced key to this image. So now the encryption procedure and the decryption procedure use a key which goes into the computation that is going on. So Alice does some kind of computation based on the message and the key to produce the cipher text. And Bob, who has the same key, can invert this encryption operation and recover the plain text. However, as long as the key is only known to Alice and Bob, but not to the attacker, the attacker cannot use the decryption procedure. So one general word here. I will not go into the details of how these boxes operate. So within these boxes, which represent computations, there is some math or computer science going on. And I would like to not explain how these things operate internally in order to keep this talk available to a broad audience. OK, so a problem that we have here is that Alice and Bob have to agree on the key in advance. So Alice cannot simply send over the key to Bob, because if she did, then the attacker who is eavesdropping on the connection learns the key as well as the message, and then the attacker could just decrypt the same as Bob. OK, so this does not work. This is a terrible attempt. So for quite some years, actually, until the 70s and 80s of the last century, people were only using this scheme. And this is what we call symmetric encryption because we could just flip the image around and Bob could be sending a message to Alice instead because encryption and decryption uses the same key. And if there is symmetric encryption, you can guess there is something else which is called asymmetric encryption and there is ... for asymmetric encryption, there is a pair of keys. One of them is used for encryption and one of them is used for decryption. And now if we have an asymmetric encryption scheme, we can do something like the following. So Bob generates a pair of these keys, one for encryption and one for decryption. And he keeps the decryption key to himself. This is why the decryption key is called the secret key. However, Bob can publish the encryption key for everyone to see. So, for example, it could be put in a kind of public registry like a phonebook or whatever. And now Bob can send his public key to Alice and an eavesdropper who is listening in on the connection will learn the public key, but that's not a problem because the key is public anyway. And now after we have done this, Alice can use Bob's encryption key to encrypt her message and send that over to Bob. And now Bob can decrypt the message with his secret decryption key. However, the eavesdropper here cannot simply decrypt the message because even though the eavesdropper has the encryption key, it does not have the decryption key and thus the eavesdropper cannot decrypt. Okay, however, this solution is still kind of risky. There is still a problem with this and it is we still have to make sure the keys are distributed in advance. Okay, so if we used this simple scheme where Bob is sending his public key to Alice, then there is a problem. If the attacker is not simply passively eavesdropping on the connection, but is willing to actively interfere with the connection. So, for example, the eavesdropper might intercept the public key that Bob is sending to Alice and replace it with his or her own public key. And then Alice would think that the key she received belongs to Bob and use this key to encrypt her message to Bob, and then suddenly the attacker can read the message again. So at this point, let's summarize about encryption, so encryption conceals the content of data. And this is pretty much what it does and pretty much the only thing that it does. In particular, it does not conceal the fact that there is communication going on. So an eavesdropper who is listening in on the connection obviously can see Alice sending a message to Bob. And thus the eavesdropper knows there is communication going on between Alice and Bob and this alone could be quite dangerous for Alice and Bob. So imagine if Alice was working for an intelligence agency and Bob was a journalist and the attacker sees Alice sending lots of documents to Bob, then this might be a strong indication that Alice is a whistleblower and Alice could be put into jail. So something more that is not concealed by encryption is the amount of data that is being exchanged. So if Alice is sending just a very short message to Bob then the eavesdropper can guess that the message that is being transferred is not a 20 GB file or something. So all this kind of metadata is something that encryption does not conceal. And there is a couple of more problems with encryption. One of them is that the attacker might change the message. Protecting from changes to the message is not the job of encryption. Another problem is that keys must be exchanged in advance, which I already talked about. And there's more problems. So, for example, an attacker might simply record a message when it is sent. And later, just replay this message to Bob. Or an attacker might go ahead and block a message altogether. So intercept the message and throw it into the trash to make sure it never arrives at Bob's site. Okay, and the first problem here, an attacker might change the message which actually leads me to the second part of my talk, which is authentication. So on my talk checklist, let's mark encryption as done. Okay, so now what is authentication? Authentication enables the detection of changes to data. It does not prevent changes from happening. It only enables the recipient to detect the changes after they have happened. OK. So, for example, or one example where something like authentication was needed is when Alice, um, when Bob was sending his public key to Alice, but this is by far not the only scenario where authentication is needed. So imagine if Alice is running a charitable organization. So, for example, she's saving refugees from drowning in the Mediterranean Sea. And Bob wants to donate to Alice to help her do that. Then Alice has to send her bank account number to Bob so that Bob can make the donation. And notice that in this scenario, the message that Alice is sending to Bob, her bank account number, is nothing that is secret. It does not have to be encrypted because this information is public knowledge. However, we do want to make sure that the message that arrives at Bob is indeed the correct bank account number. So to prevent something like this from happening where a criminal might intercept the message and replace the bank account number so Bob would send his money to the criminal's bank account instead of Alice's. And one way to realize authentication is, again, by having a pair of keys, one of them is used for authentication and one of them is used for verification. So checking if a message has been changed or not. And the authentication key must be kept secret. Thus it is called the secret key, whereas the verification key can be made public and it is called the public key. And now if you have a setup like this, then Alice can go ahead and take the message that she wants to send to Bob and apply some computation to it together with the secret key, the authentication key to produce something that we call a signature or a digital signature. And then Alice sends this signature over to Bob along with her bank account number. And Bob will take the signature that he receives and the bank account number he receives and apply some kind of computation to them to... and this computation will determine if the bank account number has been changed or is in fact original. So if the attacker changes the bank account number, then Bob will be able to detect this change by checking the signature. And this holds even if the attacker does not only change the bank account number, but also the signature. Okay? So these things are designed in a way which hopefully makes it impossible for any attacker to come up with a valid signature for anything else than the original message. OK. So the only thing that Bob will ...the only way that Bob will accept the signature is if the attacker does not, in fact, change the bank account number. And in this case, it is safe for Bob to transfer the money. OK, but here. OK. So here is a different solution to this problem. And it's actually pretty much the same, except that now we have just a single key which is used for both authentication and verification. And in this case, things simply have a different name. They work in exactly the same way, except that the signature is called a message authentication code or a MAC for short. OK. But in both of these scenarios, whether we have two distinct keys or just one key, we still have the problem of key distribution. OK. So imagine if in the segment a scenario with two keys, Alice was sending her public key to Bob, then we would have the same attack as before, namely the attacker could just go ahead and change the key that Alice is sending to Bob and exchange it for his own key. And so if the attacker is sending his own public key, his only… his own verification key to Bob, then obviously the attacker can create a valid signature for his forged bank account number. And Bob would accept this. OK, so again, we have this problem of key distribution, which is that the verification key must be known to Bob in advance. OK. And this leads me to my next... the next section of my talk. So let's mark authentication as done and go on with certificates. So a certificate is a document that confirms that a specific public key belongs to a specific entity, for example a person or an organization. And if we want to use certificates, let's just go back to the sender scenario we had before. So Alice wants to send her bank account number, her public key and a signature for her bank account number to Bob and an attacker might change the public key and the bank account number and the signature. And now if we add certificates into this, we need to add something that we call a certificate authority. And this is a trusted third party, which will create certificates which confirm the association between a person and a public key. So before Alice is sending a message to Bob, she will walk up to the certificate authority and say "Hey certificate authority. This is my public key. I'm Alice. Please give me a certificate." And then the certification authority will check that Alice is indeed Alice and that Alice indeed owns this public key. And if Alice passes these checks, then the certification authority will create a certificate and hand that to Alice, and the certificate is just a document which says that the certification authority has verified that the silvery key here on the slides belongs to Alice. And now once Alice has the certificate, she can just send her public key to Bob together with a certificate. And then Bob, if he knows the certificate authority's public key can check that the certificate is indeed correct. So it was indeed created by the certificate authority. And if he trusts the certificate authority, he will know that the silvery key is, in fact, Alice's. And then afterwards, Bob will be convinced that the silvery key is Alice's and he can check the message that Alice is sending to Bob and make sure it has not been changed. OK. So we're not completely free from the key distribution problem yet, however, because still Bob has to know the public key of the certification authority in advance. Okay. So Bob does not need to know Alice's public key in advance, but he needs to know the public key of the certification authority in advance. And in practice, there's not just a single certification authority, but there's a whole bunch of them and certification authorities can even create certificates for other certification authorities and so on. So now Bob does not have to know all the public keys of everyone he's communicating with, but he only has to know the public keys of a couple of certification authorities. Okay, so let's summarize about certificates. So as I said before, certificates confirm that a specific public key belongs to a specific entity like a person or an organization. But we're still not completely free from the key distribution problem because people have to know the certificate authority's public keys. And another problem here is that this scheme gives an enormous amount of power to a certification authority. So if an attacker can compromise a certification authority, then he could force the certification authority to create fake certificates, connecting fake keys to real identities. OK so he could create a fake certificate, which says that the certification authority has checked that the attackers public key belongs to Alice. And fixing this problem about the certification authorities' power is something that cryptographers are still working on. So that's still a problem today. And in fact, this problem is not just theoretical. There is a number of incidents that have happened with certification authorities. So one famous example is the "Diginotar" case where in fact a certification authority named Diginotar was hacked and the attackers created a fake certificate for a google.com domain or one of the other Google domains. I don't exactly remember. And then these certificates showed up being used in Iran. OK, so this is not just a theoretical problem. This has, in fact, happened before. OK, so this concludes what I wanted to say about certificates. So let's move on and see how these things can be put together to build more complex but also more useful tools. So one of the tools I want to introduce is called authenticated encryption and it's basically a combination of encryption and authentication. So for some reason, people use this phrase mostly in the symmetric case where there is one key for encryption and decryption and one key for authentication and for verification. But you could pretty much recreate the same scheme in an asymmetric fashion. And that is also being done in practice. In this case, people just don't call it authenticated encryption. So one way to build authenticated encryption is so if Alice wants to send a message to Bob, then she will encrypt the message using the encryption key and send the cipher text over to Bob. And then she will use a copy of the cipher text and compute a message authentication code from it using the second key that she has. And then, Bob, as Alice is going to send over that message authentication code to Bob, too. And now Bob can decrypt the message using the key he has. And additionally Bob can check if this message has been changed or whether it is original by using the verification procedure. OK, so again, this kind of authentication does not prevent changes from happening. But Bob can check whether a change has happened. And in fact, this kind of authenticated encryption can actually boost the security of the encryption scheme. OK, so another thing I wanted to talk about is called hybrid encryption. And this is the combination of symmetric encryption and asymmetric encryption. And the reason why this is interesting is that asymmetric encryption is usually quite slow compared to symmetric encryption. So if you wanted to send a very long message to Bob and you only had a public key encryption scheme, so an asymmetric encryption scheme, then it would take a very long time to encrypt the message and to decrypt the message. So however, you can combine asymmetric encryption and symmetric encryption in a way that makes the encryption process faster, and the way you do this is so if Alice wants to send a message to Bob, Alice first generates a new key for the symmetric encryption scheme. And Alice will encrypt her message with this key and send the cipher text over to Bob. And afterwards, Alice will take the symmetric key that she has just generated and encrypt this key with Bob's public key, and then that is sent over to Bob as well. And now Bob can decrypt the symmetric key using his secret decryption key - the kind of golden one here on the slides - to recover the symmetric key. And afterwards, Bob can use the freshly recovered symmetric key to decrypt the actual message. However, an eavesdropper listening in on the connection cannot decrypt the message because it does not have the symmetric key and it cannot decrypt the symmetric key because it does not have Bob's secret decryption key. OK. So you can continue to build on these kind of things and what you end up with is something called transport layer security or TLS for short. And transport layer security is a network protocol that combines much of the things that I've introduced so far. So it combines encryption either symmetric or hybrid and it combines it with authentication. So MACs and signatures and certificates and all the other things. And it adds in a couple of more things to detect replays of messages. So if an attacker was to simply replay a message recorded earlier, this is something that TLS can detect. And TLS can also detect if a message has been suppressed by the attacker. So within a connection. So what TLS does is it kind of establishes a secure connection between two entities. So say Alice and Bob over an insecure network which is controlled by the attacker. And one application where TLS is commonly used is for sending e-mails. So, for example, when you're sending an email from, say, Alice wants to send an email to Bob, then the e-mail is usually not sent directly. But Alice sends the message to her own email server and then Alice's e-mail server will forward this email to Bob's e-mail server. And when Bob goes online and checks his e-mails, the e-mail will be downloaded to his device like his phone or desktop computer or whatever device Bob is using. And while Alice can make sure that when she's uploading her message, her e-mail to her own server, that this connection is secure just by encrypting the message. So essentially using TLS and all the things that involves like encrypting the message and authenticating the message and so on. However, Alice cannot check if her own e-mail server also uses a secure connection to forward this e-mail to Bob's server. OK. So let us take a more detailed look here. So each of these green locks signifies a secure connection. This means that when a message is sent then or each time a message is sent over a secure connection, there is some encryption and authentication going on on the sender side and some decryption and verification going on on the receiving side. OK, so if Alice wants to send an e-mail to Bob, then Alice will build up a secure connection and send the email over it. And this will involve encrypting the e-mail and authenticating the e-mail. And Alice's server will decrypt the e-mail and verify that this has not been changed. And then Alice's server will forward the e-mail to Bob's server, which involves, again, encrypting it and authenticating it. And Bob's server will decrypt and verify it. And then again, the same process repeats when the e-mail is sent or is downloaded by Bob from his server. However, in this case so even though the message is encrypted every time it is sent over a network, it is known in plain text by Alice's server and Bob's server. Right. Because Alice is sending the message. So she is encrypting it and Alice's server is decrypting it. So Alice's server can read the message in plain text. And the same goes for Bob's server. And this is what we call transport encryption because the e-mail is encrypted every time it is being sent over network. And a concept opposed to this is what we call end to end encryption, where Alice, before sending the message, Alice encrypts it, but not with a key that is known to her server, but directly with Bob's public key. And she might even sign it with her own secret authentication key. And then Alice sends this already encrypted message over a secure channel to her own server, which involves encrypting the message again and authenticating it again, and then Alice's server will decrypt the message and verify that it has not been changed, however, the server cannot remove the second layer of encryption, right? So the e-mail is encrypted two times. One time was with Bob's key and a second time so that the server can decrypt it. And now the server can remove the second encryption. But the first one is still there. So, Alice's server cannot read the e-mail. And then the process repeats, the already encrypted message is encrypted a second time and decrypted again at Bob's server and then it is when it is downloaded by Bob it is encrypted again and decrypted again. And then finally, Bob, who has the secret key, the secret decryption key can remove the inner layer of encryption. And so Bob can read the message. However, the servers in between cannot read the message just because it is still encrypted with Bob's public key. OK, so with that, I would like to wrap up. Sorry. So I would like to wrap up. So here's a couple of take home messages. So the first one is encryption conceals the content of data. And that's pretty much all it does. It does not conceal the metadata and it does not prevent the message that is being sent from being changed. That is the job of authentication. Authentication enables the detection of changes to data and both for encryption and for authentication. You need to have pre-shared keys or are maybe not really pre-shared keys, but key distribution has to happen beforehand. And one way to make this problem of key distribution simpler is with certificates. So certificates confirm that a specific public key is owned by a specific entity. And if you have all these things, encryption and authentication and certificates, you can build a network protocol which takes care of securely transmitting a message from one place to another. And you can apply that to get transport encryption. But transport encryption is inferior to end to end encryption in the sense that with transport encryption, all the intermediaries can still read the e-mail or the message being sent. However, with end to end encryption, they cannot. And with that, I'd like to close and that I will be happy to answer your questions if there are any questions which you cannot ask today you can send me an email at this email address on the slides. I will try to keep that email address open for one or two years. applause Herald: Thank you for your talk. And now we would come to the question part, if you have any question, you can come up to microphones in the middle of the rows. Are there any questions from the Internet? We have plenty of time. If anyone comes up. With a question, you're invited. We have a question on microphone two, please. Mic 2: Thanks for your good talk, and I would like to know how can you change a message that was properly decrypted without the other receiving part noticing that the decryption doesn't work anymore? Oots: That depends on the encryption scheme that you're using. But for quite a number of encryption schemes, changing the message is actually quite simple. So there is a really large number of encryption schemes which just work by changing a couple of bits. Okay. So the message is made up of bits and your encryption scheme gives you a way to determine which of the bits to change and which not to change. So when you were encrypting, you use the encryption scheme to figure out which bits must be flipped. So change from zero to one or from one to zero and you just apply this bit change to the message that is being sent and then the receiver can just undo this change to recover that original message, whereas an attacker who does not know which bits have been flipped cannot. However. So still the attacker can just flip a couple of the bits, and in this case, so say the bit has been flipped by Alice and it is being flipped another time by the attacker. So the bit is at its original value again. And then Bob, who knows how to decrypt, will flip in another time. So it's changed again. And thus the message has been changed. And there's a couple of things you can do with this kind of with this kind of changes to the messages so that the decryption simply does not fail. It just maybe outputs the wrong message. Herald: OK. Next question from microphone six, please. Mic 6: You stated that encryption does not cover metadata. Are there any thoughts about that? Oots: Any thoughts? Mic 6: Yeah. Any solution for maybe encrypting metadata? I don't know. Oots: So much of this is pretty hard to come by. So, I mean, for emails, there is the idea of also encrypting the subject, which is usually not encrypted, however. So if you want to hide the length of the message, what you can do is simply pad the message. So just end random garbage at the end of it to kind of hide how long it is. Exactly. So the attacker will still have an upper bound on your message length, but it does not, so it knows that the message you're sending is that most as long as the cipher texts you're sending. But it doesn't know maybe it's shorter. So if you want to hide your identity while communicating, you should be going for something like Tor where you're not connecting directly to the person you want to communicate with, but via a couple of intermediaries in a way that none of the intermediaries know both you and the final recipient. Mic 6: Thank you Herald: Okay, then I believe we had a question from the Internet. Internet: Yes, uh, the Internet is asking, can you say anything about the additional power consumption of the encryption layers on a global scale? Oots: Sadly, I think I can not. So I do not exactly know how much power consumption is caused by the encryption, however. So in terms of computation, at least, symmetric encryption is quite cheap in the sense that it takes a couple of processor cycles to decrypt. I don't know. Sixteen blocks or something. So you can usually decrypt hundreds of megabytes per second with a processor. At least with a modern one. So I don't know any numbers, but I mean you can guess that if everyone in the first world countries is using encryption, then in the sum there is a pretty large amount of energy going into it. Herald: Next question. Microphone two, please. Mic 2: You mentioned a couple of times that an attacker might be able to replay a message. I haven't really understood. If I'm an attacker, how does this benefit me that I am able to do that? Oots: So imagine if Alice is sending an order to her bank to transfer some money. And every time the bank is receiving such an order, it will initiate the bank transfer. Then as an attacker, that would be pretty cool to exploit because you once eavesdrop on Alice sending such an order to the bank and then later on you can just repeat the same order to the bank and more money will be sent. So if you were the recipient, that would be pretty cool and you could just deplete Alice's bank account. Herald: Then a question from microphone three. Mic 3: I was in a talk about elliptic curve cryptography, and I'm wondering where it is would we apply now in your example or in your process you showed us. Oots: Um, let me maybe just go to another slide. Um. So typically encryption is applied or elliptic curves are applied within these encryption and decryption boxes. Okay. So there is a lot of mathematics going on in these computations, which I did not explain because I wanted to keep this talk accessible to a broad audience. But one way to realize such an encryption procedure is by using elliptic curves within these boxes. Herold: OK. Microphone one, please. Mic 1: Another limitation I could think of or how to overcome this is devices like IOT devices that have low power and limited processing capability. So how do you adapt this complex encryption? The encryption competition for those devices? Oots: There is some research going on on encryption schemes that are particularly lightweight, so particularly suited for resource constrained devices. But as far as I know, pretty much all of them have some weaknesses that came out of them. So they security wise, they do not offer the same guarantees as the ones that you use if you have the resources for it. Herald: On microphone two, please. Mic 2: Yeah. Hi. You mentioned the enormous power that certificate authorities have in the picture of certification and authentication. I was wondering if there I mean, what are the possible solution or the proposed solution at the moment? What is the state of the art on solving that problem? Oots: So one solution that is currently being pushed is called certificate transparency. And that works by basically creating a public or lots of public log files where each certificate that is ever created must be added to the log file. And so if you're Google dot com or if you are Google and you see someone entering Google's certificate into the log file and you know that you didn't ask for the certificate, then you know that there is a fake certificate out there. And so whenever you get a certificate, you are expected to check if the certificate is actually contained in one of the public log files. Does that answer the question? Mic 2: Yes. But how does appending a certificate would work? So, for example, making sure the certificate is recognized Alice as legitimate. Oots: OK. So the idea is whenever you get a certificate, it will be put in a log file and everyone who gets the certificate is expected to check that the log file is actually there. Mic 2: So it is the certificate authority that also pushes the certificate to the log? Oots: That's how it's expected to work. Yes. Mic 2: OK. Thank you. Oots: You're welcome. Herold: Then we have one more question from the Internet. Internet: The Internet wants to know can we or where can we get an authentication for a PGP key and how to apply it on a key afterwards. Is there a possibility somehow? Oots: I guess that depends. So with PGP, the common model is that there is not a or there is not a central certification authority or a bunch of them, but so you have kind of a social graph of people who know each other and exchange e-mails. And each of these e-mails, each of these users should authenticate the public keys of their peers. OK? So when you want to communicate with someone who you do not already know, but who's maybe a friend of a friend of yours, then hopefully your friend will have authenticated the public key of his friend. And if you trust your friend, you can then check that your friend, in fact, has created a kind of a certificate for his friend. Herald: Are there more questions from the Internet? One more? Yes, please. Internet: I don't know if it's a question regarding your talk, really, but someone wants to know. Would you recommend startTLS and SSL/TLS in e-mail? Oots: So as far as I'm concerned, I would always opt for using encryption on the outermost layer. So first, building a secure connection to your email server and then doing SMTP or whatever over that connection. So I think directly establishing the connection in a secure manner is as is a better way to do it than with startTLS. Herold: I believe that what is it, was it for questions? Please have a last round of applause for Oots! applause 36c3 postroll music Subtitles created by c3subtitles.de in the year 2020. Join, and help us!