Skip to Content [alt-c]

Comment

In reply to Comment by Reader Charles

Reader Jarek on 2014-08-13 at 21:59:

Yes, DANE can do that. Also, it can specify CA signing the server certificate (because even if TLS is enforced, attacker can MITM the connection, as certificates aren't validated. Without DANE they can't, because there is no common database of trusted CAs and each server trusting other CAs would lead to chaos and unreliability). For instance, for the Postfix implementation see http://www.postfix.org/TLS_README.html#client_tls_dane.

It's not only not trivial, but also impossible for a client to protect against downgrade attacks without additional tricks. Those tricks can include DANE, manual configuration (not scalable) and some magic caching (but I wouldn't say it'd be a properly-programmed client, what would happen if remote server simply turns off TLS?). And even with the insane-magic-caching, we still have the common trust anchor problem. So well... the author is wrong here (at least in SMTP case, interactive clients or freshly designed protocols might be in better position).

As for wide support... It's supported by two very (most?) popular SMTP servers (Postfix and Exim), so it's not that bad. But it appeared only recently (is available only in relatively fresh versions) and requires additional configuration (especially validating DNSSEC resolver). But bigger problem is on the other side (target) -- it's not widely deployed.

But it has to ba said, that even the opportunistic encryption with possible downgrade attacks is beneficial. Often the monitoring is passive (attacker just sniffs received traffic without tampering it) and downgrade attacks require active MITMing. So, while not perfect, it's still better than nothing.

Reply

Post a Reply

Your comment will be public. If you would like to contact me privately, please email me. Please keep your comment on-topic, polite, and comprehensible.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with ">" are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim.
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.