undefined | Better HN

0 pointse12e11y ago0 comments

I've been thinking about experimenting with enforcing cert-checks on incoming tls/smtp. Possibly with a plain text smtp mx as fallback (through some kind of try-again-later greylist-like magic).

Providing a fallback would negate the security benefit, obviously -- but might gather enough data for a whitelist (ish) of servers/sending domains which we can demand valid certs for.

I'm not too concerned about bouncing valid email, as long as it doesn't create loops. Nor am I that worried about missing emails.

As long as all the senders are a) mailing-lists that either should do the right thing, or will actually change to do the right thing if an error is reported, b) big free services like gmail/yahoo/outlook that might be divided into groups of "does the right thing" and "blacklist"/bounce to let any friend know that they need to send from "free service y, not x" -- and c) friends that run their own email servers and can be beaten (eh, educated) to compliance.

I'd really not like to rely on some random CA list, though. I'm personally a cacert.org-fan/user -- but I suppose one might try to lean on DANE to avoid that particular hairball -- to some extent. It's either that or manual whitelist+trust on first use/some kind of pinning.

0 comments

1 comments · 1 top-level

jcrites11y ago

One of the biggest security gaps in SMTP is that failing to establish TLS will result in falling back to plaintext; it's opportunistic TLS. Senders and receivers don't perform path validation because a validation failure will not stop a message from being sent -- it will just be sent with plaintext.

The missing piece is widespread support for a way for receiving mail servers to declare that they support TLS (and optionally identify their CA or pin their certificate), such that it will instruct senders to connect with mandatory TLS instead of opportunistic TLS. With a protocol like this in place, senders can begin performing path validation of the receiver's certificate when they connect, but only for receivers who declare it, allowing an incremental nonbreaking rollout. Once widespread support is in place, we can begin making an effort to require validated certificates.

By the way, you might be interested in Google's email transparency report, where they publish statistics on TLS adoption: http://www.google.com/transparencyreport/saferemail/

I'd be interested to chat with anyone about email security and ideas to improve it; feel free to reach out. I would gladly put my support behind and implement a proposal that will solve these problems.

j / k navigate · click thread line to collapse

0 comments

1 comments · 1 top-level

jcrites11y ago

By the way, you might be interested in Google's email transparency report, where they publish statistics on TLS adoption: http://www.google.com/transparencyreport/saferemail/

j / k navigate · click thread line to collapse