Skip to Content [alt-c]


In reply to Comment by Reader Charles

Reader Lie on 2016-04-26 at 15:33:

Downgrade attack is trivial to protect, a client will simply require STARTTLS and simply drops the connection when the server does not support ESMTP and encryption.

DNSSEC and DANE protects against different vulnerabilities, which is that MUAs and MTAs can't reliably verify the server certificates. In the DNSSEC and DANE scenario, the attacker MITM the encrypted connection and it receives encrypted connection from the client and then makes encrypted connection to the mail server. In other words, even if both client and server refuses unencrypted connection, that is all futile if the client cannot verify the server's certificate. DNSSEC signs DNS record to protect DNS record from being tampered by malicious or compromised recursive DNS resolvers, and DANE embeds the TLS certificate inside DNSSEC-signed records to avoid reliance on CA, whose security model is totally broken for emails. Additionally, there's also DNSCrypt/DNSCurve that encrypts the connection to the DNS server to protect privacy against eavesdropping.


Post a Reply

Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with > are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim (good for code).
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.