Re: Thunderbird and end-to-end email encryption – should this be a priority?

Joshua Cranmer 🐧 pidgeot18 at gmail.com
Mon Aug 31 13:06:02 UTC 2015


On 8/30/2015 3:32 AM, Nomis101 wrote:
> If we are talking about secure email, a question I long asked myselfe
> is, why is mozilla not finishing the implementation of DNSSEC/DANE?
> There are only half-ready patches on Bugzilla. There are some email
> servers supporting this allready [1].

<https://www.imperialviolet.org/2015/01/17/notdane.html> (written by a 
Chrome developer, but still more or less the same arguments apply). 
Basically:
1. DNSSEC uses 1024-bit RSA everywhere, where browsers/CAs are trying to 
rip that out.
2. DNSSEC still has some problems getting to clients in certain networks 
(primarily mobile ones is my understanding).
3. Given #2, requiring DANE records to validate SSL certificates is 
untenable to roll out. The other security gains from DANE are rather 
suspect--it's vulnerable to downgrade attack, pinning is already 
possible in HTTP, and DNS is rather poorly audited compared to most CAs.

-- 
Joshua Cranmer
Thunderbird and DXR developer
Source code archæologist




More information about the tb-planning mailing list