[Nottingham] Email downgrade attacks?

Jason Irwin jasonirwin73 at gmail.com
Thu Nov 13 08:47:01 UTC 2014


On 12/11/14 15:48, Mike Cardwell wrote:
> Annoyingly, this breaks DANE. I publish fingerprints of the certs which my MX
> servers use
I think I followed all that. So DANE coupled with DNSSEC is a way to
verify that the sender/receiver is who they claim to be?
If so, we need that globally about 15 years ago!
Warning: You have no idea of the depths of my ignorance when it comes to
networking. I nearly made Martin cry once. :-)

> So if some cretinous ISP like Verizon comes along and strips out STARTTLS from
> the EHLO response in the connection between me and some other party, the sending
> mail server will notice the lack of encryption and the message will be bounced
> back to the sender instead of delivered.
Here's a thought. Have Verizon just breached copyright? They have
effectively edited your message to create a derivative work, unless you
granted them permissions that would appear to be simple breach.
IIRC court cases have be levied against some services for
stripping/modifying adverts of web pages whilst in-flight.

> FYI, DANE support is available in Postfix today, and is being worked on by the
> guys at Exim too.
At some point I will get back to fiddling with Postfix. I did have it
sort of working, which I was chuffed about.
Had a minor fankle with certs (I was dicking around with self-signed)
and then it kinda fell by the wayside.
(Martin....)

-- 
╔═════════════╦══════════════════════════════════════════╗
║ Jason Irwin ║ OpenPGP (GPG/PGP) Public Key: 0xD0C592B1 ║
║             ║ Import from hkp://pgp.mit.edu            ║
╚═════════════╩══════════════════════════════════════════╝



More information about the Nottingham mailing list