Skip to Content [alt-c]
In reply to Comment by Reader Charles
You raise yet another issue, which is checking certificates. I would guess that virtually no email provider checks certificates. The problem is that there's no way to know what the name on the certificate should be. Ideally it would match the domain of the email address you're sending to, but this is rarely the case because domains usually delegate their mail to servers under other domains using MX records. And without DNSSEC, the MX delegation is completely unauthenticated, making it pointless to check that the certificate name matches the name in the MX record.
For example, gmail.com's smallest-priority MX server is `gmail-smtp-in.l.google.com`. The names on `gmail-smtp-in.l.google.com`'s certificate are:
gmail.com
DNS:aspmx.l.google.com, DNS:alt1.aspmx.l.google.com, DNS:alt2.aspmx.l.google.com, DNS:alt3.aspmx.l.google.com, DNS:alt4.aspmx.l.google.com, DNS:gmail-smtp-in.l.google.com, DNS:alt1.gmail-smtp-in.l.google.com, DNS:alt2.gmail-smtp-in.l.google.com, DNS:alt3.gmail-smtp-in.l.google.com, DNS:alt4.gmail-smtp-in.l.google.com, DNS:gmr-smtp-in.l.google.com, DNS:alt1.gmr-smtp-in.l.google.com, DNS:alt2.gmr-smtp-in.l.google.com, DNS:alt3.gmr-smtp-in.l.google.com, DNS:alt4.gmr-smtp-in.l.google.com, DNS:mx.google.com, DNS:aspmx2.googlemail.com, DNS:aspmx3.googlemail.com, DNS:aspmx4.googlemail.com, DNS:aspmx5.googlemail.com.
gmail.com doesn't appear anywhere in that list. So even though the name of the MX server does appear in that list, since the MX record lookup was unauthenticated, a program has no way of knowing that `gmail-smtp-in.l.google.com` is `gmail.com`'s true MX server, and not a bogus server set up by an active attacker who can manipulate DNS.
Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.
Your Name: (Optional; will be published)
Your Email Address: (Optional; will not be published)
Your Website: (Optional; will be published)
>
monospaced
Post a Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.