Reply to post: DNS

In non-startling news, EFF says STARTTLS email crypto is mostly done wrong



since most DNS requests are still unauthenticated (see the section on DANE above), an active attacker can still man-in-the-middle the initial DNS request and convince the sender that the recipient doesn’t support MTA-STS

That might be true, is in fact, I've spoken about it here and elsewhere a number of times but a unified solution is going to be messy. Personally I think there's a number of protocols we should be looking again at and the email ones especially are part of this - like how we guarantee jurisdiction if security services come with warrants - but you can't solve all of this in one go. You really have to let DNS security be DNS security and email security be email security and then pin mail server auth to dns. We've seen from PGP how messy solutions don't solve the problem. The problem is MITM from otherwise well configured servers.

Offer me the protocols and if I believe I need more secure email transport I'll use it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2021