[Nottingham] Email downgrade attacks?
Mike Cardwell
nlug at lists.grepular.com
Thu Nov 13 09:16:01 UTC 2014
* on the Thu, Nov 13, 2014 at 08:46:47AM +0000, Jason Irwin wrote
>> Annoyingly, this breaks DANE. I publish fingerprints of the certs which my MX
>> servers use
> I think I followed all that. So DANE coupled with DNSSEC is a way to
> verify that the sender/receiver is who they claim to be?
Kind of. It's essentially a way of verifying that an SSL certificate is valid.
The current way of validating that an SSL certificate is valid, is checking
that the common name matches the hostname you're expecting, and then checking
that it's signed by a CA that you trust. The DANE way is just doing a DNS
lookup to get the fingerprint and seeing if it matches the presented cert. With
SMTP, if you have a TLSA record, that also means that the connection *MUST* be
encrypted. I also publish DANE records for https:
mike at Mike-PC:~$ dig +short tlsa _443._tcp.grepular.com
3 1 1 B39239C1783106ACC139ECC5BFFAF121390DAA204981017D18DEC59E B0B4610B
mike at Mike-PC:~$
At the moment, no browsers support this, but there is a Firefox addon at least:
https://www.dnssec-validator.cz/ - If browsers supported this, then we'd be
able to drop the CA's and just use free self signed certificates.
>> FYI, DANE support is available in Postfix today, and is being worked on by the
>> guys at Exim too.
> At some point I will get back to fiddling with Postfix. I did have it
> sort of working, which I was chuffed about.
> Had a minor fankle with certs (I was dicking around with self-signed)
> and then it kinda fell by the wayside.
> (Martin....)
I've only recently started playing with Postfix myself. Have it on my primary
MX/submission server. Still using Exim on the secondary for now.
--
Mike Cardwell https://grepular.com https://emailprivacytester.com
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20141113/2e510a4c/attachment-0001.pgp>
More information about the Nottingham
mailing list