[Ach] filippo on SSL SMTP encryption

Thomas Preissler thomas at preissler.co.uk
Tue Mar 31 17:25:46 CEST 2015

On Tue, Mar 31, 2015 at 04:21:25PM +0200, L. Aaron Kaplan wrote:
> https://blog.filippo.io/the-sad-state-of-smtp-encryption/
> Nice reading.
> "Conclusion
> So this is it. The Internet is terrible and until DNSSEC sees wide
> deployment SMTP will have at best opportunistic encryption."
> (...)
> "Still, STARTTLS is better than allowing dragnet surveillance, so
> please, please support it. You don't even have to get a signed
> certificate! There are no excuses."
> Even though I heard some critical voices on dnssec, I do believe we
> should cover it in our guide...

I have implemented DNSSEC on a .co.uk domain using Nominet's DSS (DNSSEC
signing service). Yes, it is a service, you don't have any influence
which encryption they use. And you don't have an option here, you can't
go with a different provider.
There are obviously also others which implement it differently, maybe
even better. I know some give you the choice which algorithms you want
to use.
Full disclosure, I am not keen on DNSSEC and the flaws are all well
known. I am not repeating them here. Why I have implemented it then? I
like playing with new technologies, also being an early adopter. Going
along and implementing it (and also realizing that Nominet had a flaw in
the DSS implementation when you use IPv6) made me to learn about its

Reading through that post about SMTP made me think, why not implementing
HTST for SMTP? I understand this is probably not the best field of
suggesting new standards here. And while we're at it, maybe use HPKP as
well for SMTP.

Just my 2¢


www.preissler.co.uk | Twitter: @module0x90 | PGP-Key: 75889415
GPG Fingerprint:  CCBD 153A D257 CA7E A217  FDF7 5928 03D1 7588 9415

More information about the Ach mailing list