Andrew Ayer

Reader Jarek on 2014-08-13 at 21:59:

Yes, DANE can do that. Also, it can specify CA signing the server certificate (because even if TLS is enforced, attacker can MITM the connection, as certificates aren't validated. Without DANE they can't, because there is no common database of trusted CAs and each server trusting other CAs would lead to chaos and unreliability). For instance, for the Postfix implementation see http://www.postfix.org/TLS_README.html#client_tls_dane.

It's not only not trivial, but also impossible for a client to protect against downgrade attacks without additional tricks. Those tricks can include DANE, manual configuration (not scalable) and some magic caching (but I wouldn't say it'd be a properly-programmed client, what would happen if remote server simply turns off TLS?). And even with the insane-magic-caching, we still have the common trust anchor problem. So well... the author is wrong here (at least in SMTP case, interactive clients or freshly designed protocols might be in better position).

As for wide support... It's supported by two very (most?) popular SMTP servers (Postfix and Exim), so it's not that bad. But it appeared only recently (is available only in relatively fresh versions) and requires additional configuration (especially validating DNSSEC resolver). But bigger problem is on the other side (target) -- it's not widely deployed.

But it has to ba said, that even the opportunistic encryption with possible downgrade attacks is beneficial. Often the monitoring is passive (attacker just sniffs received traffic without tampering it) and downgrade attacks require active MITMing. So, while not perfect, it's still better than nothing.

Reply