Re: Thunderbird and end-to-end email encryption – should this be a priority?

Joshua Cranmer 🐧 pidgeot18 at
Mon Aug 31 13:06:02 UTC 2015

On 8/30/2015 3:32 AM, Nomis101 wrote:
> If we are talking about secure email, a question I long asked myselfe
> is, why is mozilla not finishing the implementation of DNSSEC/DANE?
> There are only half-ready patches on Bugzilla. There are some email
> servers supporting this allready [1].

<> (written by a 
Chrome developer, but still more or less the same arguments apply). 
1. DNSSEC uses 1024-bit RSA everywhere, where browsers/CAs are trying to 
rip that out.
2. DNSSEC still has some problems getting to clients in certain networks 
(primarily mobile ones is my understanding).
3. Given #2, requiring DANE records to validate SSL certificates is 
untenable to roll out. The other security gains from DANE are rather 
suspect--it's vulnerable to downgrade attack, pinning is already 
possible in HTTP, and DNS is rather poorly audited compared to most CAs.

Joshua Cranmer
Thunderbird and DXR developer
Source code archæologist

More information about the tb-planning mailing list