Who here excited about SMTP STS?
https://tools.ietf.org/html/draft-margolis-smtp-sts-00
Knowing the IETF it'll probably take another year or two before the first proposed standard, but it's always great to see people working together to make the Internet a better place for everybody.
How many of you already using DNSSEC with DANE?
Shameless bump.
Clueless retard here, how does this benefit me?
>>53675912
STARTTLS in its current state (i.e., absent SMTP STS) is vulnerable to man in the middle attacks by means of encryption downgrade attacks, and also lacks authentication of of mail server identity due to the lack of cryptographical validation (think of public X.509 certificates for PKIX path validation. Ehm, in other words, think of the green lock in your web browser for instance).
A handful of people from large companies (e.g. Comcast, Google, Microsoft) are currently trying to create a new IETF proposed standard by means of this draft that's supposed to mitigate these current vulnerabilities by leveraging DNSSEC (and DANE).
Sorry for the technical mumbo jumbo, but I hope you get the general idea.
>>53676299
oh neat. I looked up STARTTLS, this implementation does seem better then
>>53676299
>lack of cryptographical validation
That's bullshit
>>53676775
Not entirely. Sure, STARTTLS makes use of X.509 PKIX, but I could redirect traffic to a different server with my own certificate which I signed by a trusted CA.
Using DANE (by using DNSSEC), you're in control yourself of making sure only your server is responsible for your domain with your own certificate, regardless of whether it's signed by a trusted CA of your choosing, or self-signed. https://tools.ietf.org/html/rfc6698
