Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"Well (E)SMTP works effectively by connecting, then knocking on the door and asking for a list of capabilities (EHLO). When the remote SMTP server says "no I don't support TLS", what are you supposed to do?"

If the DNSSEC secured DANE records specify that connections to this server must be encrypted, then I guess at that point, you drop the connection and bounce the message back to the sender.

I know of at least the Exim and Postfix projects which are both working on adding DANE support to their MTAs.

Also, even without any certificate verification, opportunistic SSL is extremely useful. It may not be able to stop targetted surveilance, but it can sure stop a large chunk (most?) of the dragnet style surveilance that has recently been reported.

We should do the best we can with our current system until a new system is deployed. We don't know how long we'll be waiting.



DNSSEC+DANE is fine and all that, but that's another layer of hack job on top of another lacker of hackjob. It's turtles (or turds in this case) all the way down.

The fact that a simple delivery stack turns into a mish-mash of SpamAssassin, virus scanning, DKIM, DNSSEC, DANE, SPF, PGP, certificates, CA's, numerous ports open, severla products and many more TLA's is the problem.

Complexity does not breed security.


Why is it a hack job?

I would say it’s patching a hole, and it’s the feasible way to make email secure, rather than throw it all out and convince the world to switch to a new system.

Most (internet) standards evolve this way. That’s the curse of evolving a standard that is already in widespread use.


Mostly because it rests on CA's and if the government can compel the CA to give them a signed cert for something that your security relies on, all they have to do is pose a MITM attack and you're blissfully clueless that they're spying on you. The whole system is broken and if you don't fix the foundations upon which your house is built, no amount of band-aids are going to keep the walls standing.


No, with DANE nothing rests on CA's. With DANE domain owners store their keys in the DNS, and the DNS records are signed with DNSSEC


The hack job comes from the fact that it's not universal, nor does it provide a holistic solution. It is literally a sticky plaster.

The problem is that sometimes standards are no longer fit for purpose on multiple levels. At this point, migration is required to new standards.

This does happen quite regularly. Look at IPv4 to IPv6. The change should be of the same magnitude.

We've done this before. First UUCP, then SMTP, then XYZ.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: