zlacker

[return to "I read the federal government’s Zero-Trust Memo so you don’t have to"]
1. imrejo+Hv1[view] [source] 2022-01-27 21:48:16
>>EthanH+(OP)
> Today’s email protocols use the STARTTLS protocol for encryption; it is laughably easy to do a protocol downgrade attack that turns off the encryption.

This can be solved with DANE, which is based on DNSSEC. When properly configured, the sending mailserver will force the use of STARTTLS with a trusted certificate. The STARTTLS+DANE combination has been a mandatory standard for governmental organizations in the Netherlands since 2016.

◧◩
2. philos+3x1[view] [source] 2022-01-27 21:54:00
>>imrejo+Hv1
Is DANE @tptacek approved of? You say DNSSEC and it triggers my internal alarm bells.
◧◩◪
3. tptace+Jj2[view] [source] 2022-01-28 03:14:03
>>philos+3x1
No, DANE is very bad. But it's a dead-letter standard, so I don't worry about much.
[go to top]