[Ach] filippo on SSL SMTP encryption
Thomas Preissler
thomas at preissler.co.uk
Tue Mar 31 17:25:46 CEST 2015
On Tue, Mar 31, 2015 at 04:21:25PM +0200, L. Aaron Kaplan wrote:
> https://blog.filippo.io/the-sad-state-of-smtp-encryption/
>
> Nice reading.
>
> "Conclusion
> So this is it. The Internet is terrible and until DNSSEC sees wide
> deployment SMTP will have at best opportunistic encryption."
>
> (...)
>
> "Still, STARTTLS is better than allowing dragnet surveillance, so
> please, please support it. You don't even have to get a signed
> certificate! There are no excuses."
>
>
> Even though I heard some critical voices on dnssec, I do believe we
> should cover it in our guide...
I have implemented DNSSEC on a .co.uk domain using Nominet's DSS (DNSSEC
signing service). Yes, it is a service, you don't have any influence
which encryption they use. And you don't have an option here, you can't
go with a different provider.
There are obviously also others which implement it differently, maybe
even better. I know some give you the choice which algorithms you want
to use.
Full disclosure, I am not keen on DNSSEC and the flaws are all well
known. I am not repeating them here. Why I have implemented it then? I
like playing with new technologies, also being an early adopter. Going
along and implementing it (and also realizing that Nominet had a flaw in
the DSS implementation when you use IPv6) made me to learn about its
downsides.
Reading through that post about SMTP made me think, why not implementing
HTST for SMTP? I understand this is probably not the best field of
suggesting new standards here. And while we're at it, maybe use HPKP as
well for SMTP.
Just my 2¢
Thomas
--
www.preissler.co.uk | Twitter: @module0x90 | PGP-Key: 75889415
GPG Fingerprint: CCBD 153A D257 CA7E A217 FDF7 5928 03D1 7588 9415
More information about the Ach
mailing list