Reply to post: Email transport could be better

In non-startling news, EFF says STARTTLS email crypto is mostly done wrong

Email transport could be better

You can enforce TLS and you can declare your certificate via DANE easily and simply.

The CA model itself is not all that robust, and there are still some critical vulnerabilities that can be exploited by a well-resourced attacker. Adding DANE TSLA records to the DNS signed zone then with an additional DNS lookup to fetch and validate the TLSA record is a small step, but a significant improvement to the overall security picture.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2021