Skip to Content [alt-c]
In reply to Comment by Reader Charles
Downgrade attack is trivial to protect, a client will simply require STARTTLS and simply drops the connection when the server does not support ESMTP and encryption.
DNSSEC and DANE protects against different vulnerabilities, which is that MUAs and MTAs can't reliably verify the server certificates. In the DNSSEC and DANE scenario, the attacker MITM the encrypted connection and it receives encrypted connection from the client and then makes encrypted connection to the mail server. In other words, even if both client and server refuses unencrypted connection, that is all futile if the client cannot verify the server's certificate. DNSSEC signs DNS record to protect DNS record from being tampered by malicious or compromised recursive DNS resolvers, and DANE embeds the TLS certificate inside DNSSEC-signed records to avoid reliance on CA, whose security model is totally broken for emails. Additionally, there's also DNSCrypt/DNSCurve that encrypts the connection to the DNS server to protect privacy against eavesdropping.
Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.
Your Name: (Optional; will be published)
Your Email Address: (Optional; will not be published)
Your Website: (Optional; will be published)
>
monospaced
Post a Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.