Re: Thunderbird and end-to-end email encryption – should this be a priority?

Nomis101 Nomis101 at web.de
Mon Aug 31 19:36:20 UTC 2015


Am 31.08.15 um 15:06 schrieb Joshua Cranmer 🐧:
> On 8/30/2015 3:32 AM, Nomis101 wrote:
>> If we are talking about secure email, a question I long asked myselfe
>> is, why is mozilla not finishing the implementation of DNSSEC/DANE?
>> There are only half-ready patches on Bugzilla. There are some email
>> servers supporting this allready [1].
> <https://www.imperialviolet.org/2015/01/17/notdane.html> (written by a 
> Chrome developer, but still more or less the same arguments apply). 
> Basically:
> 1. DNSSEC uses 1024-bit RSA everywhere, where browsers/CAs are trying to 
> rip that out.
> 2. DNSSEC still has some problems getting to clients in certain networks 
> (primarily mobile ones is my understanding).
> 3. Given #2, requiring DANE records to validate SSL certificates is 
> untenable to roll out. The other security gains from DANE are rather 
> suspect--it's vulnerable to downgrade attack, pinning is already 
> possible in HTTP, and DNS is rather poorly audited compared to most CAs.
>
OK, thanks for the informative link. But on the other hand, /with DPRIVE
and DANE and DNSSEC //you're creating the next generation of DNS step by
step/ [1]

[1]
https://gist.github.com/mnot/382aca0b23b6bf082116#scale-of-pervasive-monitoring

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20150831/ab954233/attachment.html>


More information about the tb-planning mailing list