←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 3 comments | 27 Jan 22 15:06 UTC | HN request time: 0.815s | source
Show context
imrejonk ◴[27 Jan 22 21:48 UTC] No.30107220[source]
> Today’s email protocols use the STARTTLS protocol for encryption; it is laughably easy to do a protocol downgrade attack that turns off the encryption.

This can be solved with DANE, which is based on DNSSEC. When properly configured, the sending mailserver will force the use of STARTTLS with a trusted certificate. The STARTTLS+DANE combination has been a mandatory standard for governmental organizations in the Netherlands since 2016.

replies(1): >>30107304 #
philosopher1234 ◴[27 Jan 22 21:54 UTC] No.30107304[source]
Is DANE @tptacek approved of? You say DNSSEC and it triggers my internal alarm bells.
replies(1): >>30110322 #
1. tptacek ◴[28 Jan 22 03:14 UTC] No.30110322[source]
No, DANE is very bad. But it's a dead-letter standard, so I don't worry about much.
replies(2): >>30112197 #>>30114394 #
2. AndyMcConachie ◴[28 Jan 22 08:44 UTC] No.30112197[source]
You think no one is deploying DANE for SMTP?

https://stats.dnssec-tools.org/images/domains.svg

It's deployed on many more domains than MTA-STS.

replies(1): >>30115892 #
3. tptacek ◴[28 Jan 22 15:35 UTC] No.30115892[source]
Of course it is. There are only a couple of email providers that actually matter, but out in the long tail of domains that might never receive a single non-spam email, there are plenty that are auto-signed by registrars. It's telling that's the best evidence you have, and not, like, "Google Mail uses DANE".