Re: Thunderbird and end-to-end email encryption – should this be a priority?
Joshua Cranmer 🐧
pidgeot18 at gmail.com
Mon Aug 31 13:06:02 UTC 2015
On 8/30/2015 3:32 AM, Nomis101 wrote:
> If we are talking about secure email, a question I long asked myselfe
> is, why is mozilla not finishing the implementation of DNSSEC/DANE?
> There are only half-ready patches on Bugzilla. There are some email
> servers supporting this allready .
<https://www.imperialviolet.org/2015/01/17/notdane.html> (written by a
Chrome developer, but still more or less the same arguments apply).
1. DNSSEC uses 1024-bit RSA everywhere, where browsers/CAs are trying to
rip that out.
2. DNSSEC still has some problems getting to clients in certain networks
(primarily mobile ones is my understanding).
3. Given #2, requiring DANE records to validate SSL certificates is
untenable to roll out. The other security gains from DANE are rather
suspect--it's vulnerable to downgrade attack, pinning is already
possible in HTTP, and DNS is rather poorly audited compared to most CAs.
Thunderbird and DXR developer
Source code archæologist
More information about the tb-planning