SlideShare ist ein Scribd-Unternehmen logo

SMTP STS (Strict Transport Security) vs. SMTP with DANE

Men and Mice
Men and Mice

The Internet Public Key Infrastructure (PKIX) is broken, but several solutions exist to fix some of the issues around transport encryption with TLS and x509 certificates. This webinar will take a deeper look at two solutions: RFC 7672 “SMTP with DANE” and draft-ietf-uta-mta-sts “SMTP MTA Strict Transport Security (MTA-STS)”. What problems are solved with these solutions? What is needed to implement MTA-STS and SMTP-DANE? Is one solution preferable over the other, or should you deploy both?

Technologie
1 von 46
Downloaden Sie, um offline zu lesen
© Men & Mice http://menandmice.com email transport security MTA-STS vs. DANE 1
© Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Agenda 1. Recap: the problem with Mail Transport Security 2. SMTP MTA Strict Transport Security (MTA-STS) 3. SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) 4. SMTP TLS Reporting 2
© Men & Mice http://menandmice.com the problem with email transport security 3
© Men & Mice http://menandmice.com Short recap we've discussed email transport security before see previous Webinar – "DNSSEC & DANE – E-Mail security reloaded" (link below) for details so here just a short recap … 4 https://www.menandmice.com/resources/webinar-dnssec-and-dane-e-mail-security/
© Men & Mice http://menandmice.com Transport Encryption Example of a protocol (HTTP/HTTPS) using a dedicated port und URI for encrypted communication 5 Port 80 - unencrypted Port 443 - encrypted
© Men & Mice http://menandmice.com Transport Encryption SMTP (email) uses in-protocol signalling to bootstrap encryption. The signalling is unsecured and can be intercepted 6 Port 25 - unencrypted Greeting - unencrypted Greeting - unencrypted Feature-List - unencrypted Request encryption - unencrypted Greeting - encrypted
© Men & Mice http://menandmice.com STARTTLS interception 7 https://www.eff.org/de/deeplinks/2014/11/starttls-downgrade-attacks https://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automatically-encrypt-your-sensitive-e-mails/ https://blog.filippo.io/the-sad-state-of-smtp-encryption/
© Men & Mice http://menandmice.com STARTTLS weakness the core problem: the receiving side cannot communicate its encryption policy the sending side cannot infer the encryption policy, it need to guess solutions available/worked on in the IETF: SMTP MTA Strict Transport Security (MTA-STS) SMTP with DANE (MTA-DANE) 8
© Men & Mice http://menandmice.com SMTP MTA Strict Transport Security (MTA-STS) draft-ietf-uta-mta-sts 9
© Men & Mice http://menandmice.com MTA-STS MTA-STS 
 (Message-Transfer-Agent Strict-Transport-Security) a mail receiving domain publishes its encryption policy •via a TXT record in DNS •plus a JSON document on an TLS secured web-server 10 draft-ietf-uta-mta-sts https://tools.ietf.org/html/draft-ietf-uta-mta-sts
© Men & Mice http://menandmice.com MTA-STS for "example.com" the administrator of the domain "example.com" will publish a TXT-record at the "well-known" sub-domain "_mta-sts" containing the version number of this domains mail- transport encryption policy use of DNSSEC is recommended 11 _mta-sts.example.com. 900 IN TXT "v=STSv1; id=20170411;" MTA-STS version encryption policy version
© Men & Mice http://menandmice.com MTA-STS for "example.com" the administrator of the domain "example.com" will also publish a JSON document at the "well-known" sub-domain "mta-sts" and the path ".well-known/mta-sts.json" 12 https://mta-sts.example.com/.well-known/mta-sts.json TLS secured path to JSON document mta-sts domain
© Men & Mice http://menandmice.com MTA-STS for "example.com" example content of the JSON document 13 { "version": "STSv1", "mode": "enforce", "mx": [".mail.example.com"], "max_age": 123456 } MTA-STS version "enforce" or "report" Common Name or Subject Alternative Name DNS-ID present in the X.509 certificate presented by any MX receiving mail for this domain max lifetime of the policy
© Men & Mice http://menandmice.com MTA-STS 14 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver sendingdomain receivingdomain Internet
© Men & Mice http://menandmice.com MTA-STS 15 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver mail delivered to MTA
© Men & Mice http://menandmice.com MTA-STS 16 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver checks policy cache
© Men & Mice http://menandmice.com MTA-STS 17 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver request mta-sts TXT record in DNS _mta-sts.example.com. TXT ? _mta-sts.example.com. 900 IN TXT "v=STSv1; id=20170411;"
© Men & Mice http://menandmice.com MTA-STS 18 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver request JSON policy from web server https://mta-sts.example.com/.well-known/mta-sts.json verify TLS x509 security store policy in cache
© Men & Mice http://menandmice.com MTA-STS 19 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver STARTTLS SMTP session validate x509 certificate against policy
© Men & Mice http://menandmice.com MTA-STS 20 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver deliver mail
© Men & Mice http://menandmice.com SMTP Security via Opportunistic DNS- Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) RFC 7672 21
© Men & Mice http://menandmice.com MTA-DANE SMTP with DANE signals the encryption policy of a mail-server via DNSSEC secured DNS the TLSA record holds the full certificate (or a hash of the certificate) which can be verified against the certificate presented by the receiving mail server MTA-DANE is standardised in RFC 7672 (Oct 2015) 22
© Men & Mice http://menandmice.com MTA-DANE 23 sending MTA sending MUA DNSSEC resolver auth DNS receiving MTA mail delivered to MTA
© Men & Mice http://menandmice.com MTA-DANE 24 sending MTA sending MUA DNSSEC resolver auth DNS receiving MTA MTA requests TLSA record _25._tcp.mail01.example.com. TLSA _25._tcp.mail01.example.com. TLSA 3 1 1 (
 BDC6A9F8312BF24C81D[..]387A147 ) validate DNSSEC chain of trust
© Men & Mice http://menandmice.com MTA-DANE 25 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA STARTTLS SMTP session validate x509 certificate against TLSA cert/hash
© Men & Mice http://menandmice.com MTA-DANE 26 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA deliver mail
© Men & Mice http://menandmice.com DANE success stories Cloudmark will support MTA-DANE in the upcoming release 5.2 Cloudmark has about 12% global market share (20% of mobile accounts) in the email business 27 https://blog.cloudmark.com/2017/03/27/dane-and-email-security/
© Men & Mice http://menandmice.com DANE success stories large German mail service provider (web.de/gmx.de/1&1) support MTA-DANE over 50% market 
 share in Germany 28 https://de.slideshare.net/GMX_Deutschland/e-mailstudie-2015-deutsche-anbieter-bevorzugt https://www.heise.de/newsticker/meldung/Abhoersicherheit-Web-de-sichert-Mail-Transport-zusaetzlich-per-DANE-ab-3175333.html
© Men & Mice http://menandmice.com DANE success stories the Dutch government requests MTA-DANE from government agencies 29 https://www.ncsc.nl/english/current-topics/news/ncsc-publishes-factsheet-secure-the-connections-of-mail-servers.html
© Men & Mice http://menandmice.com DANE success stories German "Federal Office for Information Security" requires MTA-DANE for "secure e-mail" certification 30 https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03108/TR03108-1.pdf
© Men & Mice http://menandmice.com Comparing 
 MTA-STS vs. MTA-DANE 31
© Men & Mice http://menandmice.com MTA-STS vs. MTA-DANE MTA-STS does not require DNSSEC (but it is recommended) MTA-STS defines a policy cache MTA-STS requires x509 certificates that validate against a root-CA-certificate (no "self-signed" certs) MTA-STS requires a HTTPS server to serve the policy JSON document MTA-STS requires validation of the HTTPS connection to fetch the policy document 32
© Men & Mice http://menandmice.com MTA-STS vs. MTA-DANE MTA-DANE does require DNSSEC MTA-DANE has no policy cache (but the TTL on TLSA records can work as such) MTA-DANE allows "self-signed" certificates MTA-DANE policy can be changed by switching the TLSA- record in DNS MTA-DANE TLS-cert rollover need to be in sync with TLSA record(s) MTA-DANE relies on the trust on the DNSSEC chain 33
© Men & Mice http://menandmice.com SMTP TLS Reporting draft-ietf-uta-smtp-tlsrpt 34
© Men & Mice http://menandmice.com SMTP TLS reporting SMTP TLS reporting defines a protocol to signal a reporting channel about SMTP encryption failures the sending MTA can report issues with TLS encryption to the receiving MTA operator SMTP TLS reporting can be used with MTA-STS and MTA-DANE Reports include: •MITM attacks (certification mismatch) •expired certificates •server not answering •certificate not validating against Root-CA •… 35 https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt
© Men & Mice http://menandmice.com SMTP TLS reporting the administrator of a mail domain publishes the reporting policy as a TXT-record in DNS using the "well-known" subdomain "_smtp-tlsrpt" inside the mail domain Example (SMTP-Report):
 
 
 Example (HTTP-Report): 36 https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt _smtp-tlsrpt.example.com. IN TXT "v=TLSRPTv1;rua=mailto:reports@example.com" _smtp-tlsrpt.example.com. IN TXT "v=TLSRPTv1; rua=https://reporting.example.com/v1/tlsrpt"
© Men & Mice http://menandmice.com SMTP TLS reporting 37 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA STARTTLS SMTP session x509 certificate fails to validate against TLSA cert/hash
© Men & Mice http://menandmice.com SMTP TLS reporting 38 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA MTA requests _smtp-tlsrpt TXT record _smtp-tlsrpt.example.com. TXT _smtp-tlsrpt.example.com. IN TXT "v=TLSRPTv1;rua=mailto:reports@example.com"
© Men & Mice http://menandmice.com SMTP TLS reporting 39 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA deliver report mail
© Men & Mice http://menandmice.com SMTP TLS reporting Example JSON-Report 40 https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt { "organization-name": "Company-X", "date-range": { "start-datetime": "2016-04-01T00:00:00Z", "end-datetime": "2016-04-01T23:59:59Z" }, "contact-info": "sts-reporting@company-x.com", "report-id": "5065427c-23d3-47ca-b6e0-946ea0e8c4be", "policy": { "policy-type": "sts", "policy-string": "{ "version": "STSv1","mode": "report", "mx": ["*.example.com"], "max_age": 86400 }", "policy-domain": "company-y.com", "mx-host": "*.mail.company-y.com" }, "summary": { "success-aggregate": 5326, "failure-aggregate": 303 } "failure-details": [{ "result-type": "certificate-expired", "sending-mta-ip": "98.136.216.25", "receiving-mx-hostname": "mx1.mail.company-y.com", "session-count": 100 }, { "result-type": "starttls-not-supported", "sending-mta-ip": "98.22.33.99", "receiving-mx-hostname": "mx2.mail.company-y.com", "session-count": 200, "additional-information": "hxxps://reports.company-x.com/report_info?id=5065427c-23d3#StarttlsNotSupported" }] } reporting company report time- range 
 (24 hours) contact information used policy report summary failure details
© Men & Mice http://menandmice.com Next 41
© Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction to DNS & BIND Hands-On Class •September 18 – 20, 2017 (Zurich, Switzerland) 42 https://www.menandmice.com/training/
© Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction & Advanced DNS and BIND Topics Hands-On Class •September 18 – 22, 2017 (Zurich, Switzerland) 43 https://www.menandmice.com/training/
© Men & Mice http://menandmice.com Men & Mice DNS Training •DNS & BIND (German Language) •May 22 – 24, 2017, Essen, DE •DNSSEC and DANE (German Language) •December 4-12, 2017, Essen, DE 44 http://linuxhotel.de/
© Men & Mice http://menandmice.com our next webinar 
 Certification Authority Authorization Record The CAA Record (Certification Authority Authorization) is used to signal which certification authority (CA) is allowed to issue x509 certificates for a given domain. CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames. Starting from September 2017, certificate issuing CA must support the CAA record. We will explain the CAA record, how it works, how to enter CAA into a zone and how certification authorities are about to use the record. Join us for a 45 minutes webinar with a Q&A session at the end, on Thursday, May 18th, 2017 at 5:00 PM CEST/ 3:00 PM GMT/ 11:00 AM EDT / 8:00 AM PDT. 45
© Men & Mice http://menandmice.com Thank you! Questions? Comments? 46

Empfohlen

SMTP - SIMPLE MAIL TRANSFER PROTOCOL
SMTP - SIMPLE MAIL TRANSFER PROTOCOLSMTP - SIMPLE MAIL TRANSFER PROTOCOL
SMTP - SIMPLE MAIL TRANSFER PROTOCOLVidhu Arora
 
Dhcp presentation 01
Dhcp presentation 01Dhcp presentation 01
Dhcp presentation 01maverick4489
 
Apache Kafka
Apache KafkaApache Kafka
Apache KafkaSaroj Panyasrivanit
 
Transportlayer tanenbaum
Transportlayer tanenbaumTransportlayer tanenbaum
Transportlayer tanenbaumMahesh Kumar Chelimilla
 
High Availability (HA) Explained
High Availability (HA) ExplainedHigh Availability (HA) Explained
High Availability (HA) ExplainedMaciej Lasyk
 
LinkedIn - A highly scalable Architecture on Java!
LinkedIn - A highly scalable Architecture on Java!LinkedIn - A highly scalable Architecture on Java!
LinkedIn - A highly scalable Architecture on Java!manivannan57
 
Flow control and error control
Flow control and error controlFlow control and error control
Flow control and error controlBHUVIJAYAVELU
 
Network Sockets
Network SocketsNetwork Sockets
Network SocketsPeter R. Egli
 

Empfohlen

SMTP - SIMPLE MAIL TRANSFER PROTOCOL
SMTP - SIMPLE MAIL TRANSFER PROTOCOLSMTP - SIMPLE MAIL TRANSFER PROTOCOL
SMTP - SIMPLE MAIL TRANSFER PROTOCOLVidhu Arora
 
Dhcp presentation 01
Dhcp presentation 01Dhcp presentation 01
Dhcp presentation 01maverick4489
 
Apache Kafka
Apache KafkaApache Kafka
Apache KafkaSaroj Panyasrivanit
 
Transportlayer tanenbaum
Transportlayer tanenbaumTransportlayer tanenbaum
Transportlayer tanenbaumMahesh Kumar Chelimilla
 
High Availability (HA) Explained
High Availability (HA) ExplainedHigh Availability (HA) Explained
High Availability (HA) ExplainedMaciej Lasyk
 
LinkedIn - A highly scalable Architecture on Java!
LinkedIn - A highly scalable Architecture on Java!LinkedIn - A highly scalable Architecture on Java!
LinkedIn - A highly scalable Architecture on Java!manivannan57
 
Flow control and error control
Flow control and error controlFlow control and error control
Flow control and error controlBHUVIJAYAVELU
 
Network Sockets
Network SocketsNetwork Sockets
Network SocketsPeter R. Egli
 
Dhcp presentation
Dhcp presentationDhcp presentation
Dhcp presentationSaqib Malik
 
Publish Subscribe pattern - Design Patterns
Publish Subscribe pattern - Design PatternsPublish Subscribe pattern - Design Patterns
Publish Subscribe pattern - Design PatternsRutvik Bapat
 
Remote server
Remote serverRemote server
Remote serverRijosh vk
 
TCP /IP
TCP /IPTCP /IP
TCP /IPVIKAS SINGH BHADOURIA
 
Traceroute- A Networking Tool
Traceroute- A Networking ToolTraceroute- A Networking Tool
Traceroute- A Networking ToolAmit Kumar
 
Chapter 10
Chapter 10Chapter 10
Chapter 10AbDul ThaYyal
 
IBM MQ: Using Publish/Subscribe in an MQ Network
IBM MQ: Using Publish/Subscribe in an MQ NetworkIBM MQ: Using Publish/Subscribe in an MQ Network
IBM MQ: Using Publish/Subscribe in an MQ NetworkDavid Ware
 
The Zen of High Performance Messaging with NATS (Strange Loop 2016)
The Zen of High Performance Messaging with NATS (Strange Loop 2016)The Zen of High Performance Messaging with NATS (Strange Loop 2016)
The Zen of High Performance Messaging with NATS (Strange Loop 2016)wallyqs
 
Address resolution protocol (ARP)
Address resolution protocol (ARP)Address resolution protocol (ARP)
Address resolution protocol (ARP)NetProtocol Xpert
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
Dns server
Dns serverDns server
Dns serverSubrata Kumer Paul
 
Build JSON and XML using RABL gem
Build JSON and XML using RABL gemBuild JSON and XML using RABL gem
Build JSON and XML using RABL gemNascenia IT
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaJeff Holoman
 
L2 tp
L2 tpL2 tp
L2 tpRamya Chowdary
 
Aggrement protocols
Aggrement protocolsAggrement protocols
Aggrement protocolsMayank Jain
 
Mail server
Mail serverMail server
Mail serverJazib Amjad
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsAles Lichtenberg
 
So You Want to Write a Connector?
So You Want to Write a Connector? So You Want to Write a Connector?
So You Want to Write a Connector? confluent
 
Jaimin chp-6 - transport layer- 2011 batch
Jaimin chp-6 - transport layer- 2011 batchJaimin chp-6 - transport layer- 2011 batch
Jaimin chp-6 - transport layer- 2011 batchJaimin Jani
 
Event Driven with LibUV and ZeroMQ
Event Driven with LibUV and ZeroMQEvent Driven with LibUV and ZeroMQ
Event Driven with LibUV and ZeroMQLuke Luo
 
Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3vpnmentor
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket LayerRaghavendra Rao
 

Weitere ähnliche Inhalte

Was ist angesagt?

Dhcp presentation
Dhcp presentationDhcp presentation
Dhcp presentationSaqib Malik
 
Publish Subscribe pattern - Design Patterns
Publish Subscribe pattern - Design PatternsPublish Subscribe pattern - Design Patterns
Publish Subscribe pattern - Design PatternsRutvik Bapat
 
Remote server
Remote serverRemote server
Remote serverRijosh vk
 
Traceroute- A Networking Tool
Traceroute- A Networking ToolTraceroute- A Networking Tool
Traceroute- A Networking ToolAmit Kumar
 
IBM MQ: Using Publish/Subscribe in an MQ Network
IBM MQ: Using Publish/Subscribe in an MQ NetworkIBM MQ: Using Publish/Subscribe in an MQ Network
IBM MQ: Using Publish/Subscribe in an MQ NetworkDavid Ware
 
The Zen of High Performance Messaging with NATS (Strange Loop 2016)
The Zen of High Performance Messaging with NATS (Strange Loop 2016)The Zen of High Performance Messaging with NATS (Strange Loop 2016)
The Zen of High Performance Messaging with NATS (Strange Loop 2016)wallyqs
 
Address resolution protocol (ARP)
Address resolution protocol (ARP)Address resolution protocol (ARP)
Address resolution protocol (ARP)NetProtocol Xpert
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
Build JSON and XML using RABL gem
Build JSON and XML using RABL gemBuild JSON and XML using RABL gem
Build JSON and XML using RABL gemNascenia IT
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaJeff Holoman
 
Aggrement protocols
Aggrement protocolsAggrement protocols
Aggrement protocolsMayank Jain
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsAles Lichtenberg
 
So You Want to Write a Connector?
So You Want to Write a Connector? So You Want to Write a Connector?
So You Want to Write a Connector? confluent
 
Jaimin chp-6 - transport layer- 2011 batch
Jaimin chp-6 - transport layer- 2011 batchJaimin chp-6 - transport layer- 2011 batch
Jaimin chp-6 - transport layer- 2011 batchJaimin Jani
 
Event Driven with LibUV and ZeroMQ
Event Driven with LibUV and ZeroMQEvent Driven with LibUV and ZeroMQ
Event Driven with LibUV and ZeroMQLuke Luo
 

Was ist angesagt? (20)

Dhcp presentation
Dhcp presentationDhcp presentation
Dhcp presentation
 
Publish Subscribe pattern - Design Patterns
Publish Subscribe pattern - Design PatternsPublish Subscribe pattern - Design Patterns
Publish Subscribe pattern - Design Patterns
 
Remote server
Remote serverRemote server
Remote server
 
TCP /IP
TCP /IPTCP /IP
TCP /IP
 
Traceroute- A Networking Tool
Traceroute- A Networking ToolTraceroute- A Networking Tool
Traceroute- A Networking Tool
 
Chapter 10
Chapter 10Chapter 10
Chapter 10
 
IBM MQ: Using Publish/Subscribe in an MQ Network
IBM MQ: Using Publish/Subscribe in an MQ NetworkIBM MQ: Using Publish/Subscribe in an MQ Network
IBM MQ: Using Publish/Subscribe in an MQ Network
 
The Zen of High Performance Messaging with NATS (Strange Loop 2016)
The Zen of High Performance Messaging with NATS (Strange Loop 2016)The Zen of High Performance Messaging with NATS (Strange Loop 2016)
The Zen of High Performance Messaging with NATS (Strange Loop 2016)
 
Address resolution protocol (ARP)
Address resolution protocol (ARP)Address resolution protocol (ARP)
Address resolution protocol (ARP)
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
Dns server
Dns serverDns server
Dns server
 
Build JSON and XML using RABL gem
Build JSON and XML using RABL gemBuild JSON and XML using RABL gem
Build JSON and XML using RABL gem
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache Kafka
 
L2 tp
L2 tpL2 tp
L2 tp
 
Aggrement protocols
Aggrement protocolsAggrement protocols
Aggrement protocols
 
Mail server
Mail serverMail server
Mail server
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tips
 
So You Want to Write a Connector?
So You Want to Write a Connector? So You Want to Write a Connector?
So You Want to Write a Connector?
 
Jaimin chp-6 - transport layer- 2011 batch
Jaimin chp-6 - transport layer- 2011 batchJaimin chp-6 - transport layer- 2011 batch
Jaimin chp-6 - transport layer- 2011 batch
 
Event Driven with LibUV and ZeroMQ
Event Driven with LibUV and ZeroMQEvent Driven with LibUV and ZeroMQ
Event Driven with LibUV and ZeroMQ
 

Ähnlich wie SMTP STS (Strict Transport Security) vs. SMTP with DANE

Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3vpnmentor
 
Vtu network security(10 ec832) unit 5 notes.
Vtu network security(10 ec832) unit 5 notes.Vtu network security(10 ec832) unit 5 notes.
Vtu network security(10 ec832) unit 5 notes.Jayanth Dwijesh H P
 
attachment_3998 (3).pdf
attachment_3998 (3).pdfattachment_3998 (3).pdf
attachment_3998 (3).pdfssuser02a37f1
 
White paper screen
White paper screenWhite paper screen
White paper screeneltincho89
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)NYversity
 
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IP
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IPCurso: Redes y telecomunicaciones: 07 Protoclos TCP/IP
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IPJack Daniel Cáceres Meza
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALGlenn Haley
 
ENSURING FAST AND SECURE GAMING APPLICATION DOWNLOADS GLOBALLY
ENSURING FAST AND SECURE GAMING APPLICATION DOWNLOADS GLOBALLYENSURING FAST AND SECURE GAMING APPLICATION DOWNLOADS GLOBALLY
ENSURING FAST AND SECURE GAMING APPLICATION DOWNLOADS GLOBALLYCDNetworks
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationLaurentiu Meirosu
 

Ähnlich wie SMTP STS (Strict Transport Security) vs. SMTP with DANE (20)

Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 
Vtu network security(10 ec832) unit 5 notes.
Vtu network security(10 ec832) unit 5 notes.Vtu network security(10 ec832) unit 5 notes.
Vtu network security(10 ec832) unit 5 notes.
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
attachment_3998 (3).pdf
attachment_3998 (3).pdfattachment_3998 (3).pdf
attachment_3998 (3).pdf
 
White paper screen
White paper screenWhite paper screen
White paper screen
 
Lab08Email
Lab08EmailLab08Email
Lab08Email
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
 
Getting Started with AWS IoT
Getting Started with AWS IoTGetting Started with AWS IoT
Getting Started with AWS IoT
 
Transport Layer Security
Transport Layer Security Transport Layer Security
Transport Layer Security
 
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IP
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IPCurso: Redes y telecomunicaciones: 07 Protoclos TCP/IP
Curso: Redes y telecomunicaciones: 07 Protoclos TCP/IP
 
HTTPS
HTTPSHTTPS
HTTPS
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINAL
 
ENSURING FAST AND SECURE GAMING APPLICATION DOWNLOADS GLOBALLY
ENSURING FAST AND SECURE GAMING APPLICATION DOWNLOADS GLOBALLYENSURING FAST AND SECURE GAMING APPLICATION DOWNLOADS GLOBALLY
ENSURING FAST AND SECURE GAMING APPLICATION DOWNLOADS GLOBALLY
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
 

Mehr von Men and Mice

Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesCisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesMen and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption securityMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNSMen and Mice
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCMen and Mice
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2Men and Mice
 

Mehr von Men and Mice (20)

Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network StrategiesCisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
Fighting Abuse with DNS
Fighting Abuse with DNSFighting Abuse with DNS
Fighting Abuse with DNS
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 
PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2PowerDNS Webinar - Part 2
PowerDNS Webinar - Part 2
 
PowerDNS Webinar
PowerDNS Webinar PowerDNS Webinar
PowerDNS Webinar
 

Kürzlich hochgeladen

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

SMTP STS (Strict Transport Security) vs. SMTP with DANE

  • 1. © Men & Mice http://menandmice.com email transport security MTA-STS vs. DANE 1
  • 2. © Men & Mice http://menandmice.com 
 © ISC http://www.isc.org Agenda 1. Recap: the problem with Mail Transport Security 2. SMTP MTA Strict Transport Security (MTA-STS) 3. SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) 4. SMTP TLS Reporting 2
  • 3. © Men & Mice http://menandmice.com the problem with email transport security 3
  • 4. © Men & Mice http://menandmice.com Short recap we've discussed email transport security before see previous Webinar – "DNSSEC & DANE – E-Mail security reloaded" (link below) for details so here just a short recap … 4 https://www.menandmice.com/resources/webinar-dnssec-and-dane-e-mail-security/
  • 5. © Men & Mice http://menandmice.com Transport Encryption Example of a protocol (HTTP/HTTPS) using a dedicated port und URI for encrypted communication 5 Port 80 - unencrypted Port 443 - encrypted
  • 6. © Men & Mice http://menandmice.com Transport Encryption SMTP (email) uses in-protocol signalling to bootstrap encryption. The signalling is unsecured and can be intercepted 6 Port 25 - unencrypted Greeting - unencrypted Greeting - unencrypted Feature-List - unencrypted Request encryption - unencrypted Greeting - encrypted
  • 7. © Men & Mice http://menandmice.com STARTTLS interception 7 https://www.eff.org/de/deeplinks/2014/11/starttls-downgrade-attacks https://arstechnica.com/security/2015/10/dont-count-on-starttls-to-automatically-encrypt-your-sensitive-e-mails/ https://blog.filippo.io/the-sad-state-of-smtp-encryption/
  • 8. © Men & Mice http://menandmice.com STARTTLS weakness the core problem: the receiving side cannot communicate its encryption policy the sending side cannot infer the encryption policy, it need to guess solutions available/worked on in the IETF: SMTP MTA Strict Transport Security (MTA-STS) SMTP with DANE (MTA-DANE) 8
  • 9. © Men & Mice http://menandmice.com SMTP MTA Strict Transport Security (MTA-STS) draft-ietf-uta-mta-sts 9
  • 10. © Men & Mice http://menandmice.com MTA-STS MTA-STS 
 (Message-Transfer-Agent Strict-Transport-Security) a mail receiving domain publishes its encryption policy •via a TXT record in DNS •plus a JSON document on an TLS secured web-server 10 draft-ietf-uta-mta-sts https://tools.ietf.org/html/draft-ietf-uta-mta-sts
  • 11. © Men & Mice http://menandmice.com MTA-STS for "example.com" the administrator of the domain "example.com" will publish a TXT-record at the "well-known" sub-domain "_mta-sts" containing the version number of this domains mail- transport encryption policy use of DNSSEC is recommended 11 _mta-sts.example.com. 900 IN TXT "v=STSv1; id=20170411;" MTA-STS version encryption policy version
  • 12. © Men & Mice http://menandmice.com MTA-STS for "example.com" the administrator of the domain "example.com" will also publish a JSON document at the "well-known" sub-domain "mta-sts" and the path ".well-known/mta-sts.json" 12 https://mta-sts.example.com/.well-known/mta-sts.json TLS secured path to JSON document mta-sts domain
  • 13. © Men & Mice http://menandmice.com MTA-STS for "example.com" example content of the JSON document 13 { "version": "STSv1", "mode": "enforce", "mx": [".mail.example.com"], "max_age": 123456 } MTA-STS version "enforce" or "report" Common Name or Subject Alternative Name DNS-ID present in the X.509 certificate presented by any MX receiving mail for this domain max lifetime of the policy
  • 14. © Men & Mice http://menandmice.com MTA-STS 14 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver sendingdomain receivingdomain Internet
  • 15. © Men & Mice http://menandmice.com MTA-STS 15 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver mail delivered to MTA
  • 16. © Men & Mice http://menandmice.com MTA-STS 16 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver checks policy cache
  • 17. © Men & Mice http://menandmice.com MTA-STS 17 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver request mta-sts TXT record in DNS _mta-sts.example.com. TXT ? _mta-sts.example.com. 900 IN TXT "v=STSv1; id=20170411;"
  • 18. © Men & Mice http://menandmice.com MTA-STS 18 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver request JSON policy from web server https://mta-sts.example.com/.well-known/mta-sts.json verify TLS x509 security store policy in cache
  • 19. © Men & Mice http://menandmice.com MTA-STS 19 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver STARTTLS SMTP session validate x509 certificate against policy
  • 20. © Men & Mice http://menandmice.com MTA-STS 20 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA policy webserver deliver mail
  • 21. © Men & Mice http://menandmice.com SMTP Security via Opportunistic DNS- Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) RFC 7672 21
  • 22. © Men & Mice http://menandmice.com MTA-DANE SMTP with DANE signals the encryption policy of a mail-server via DNSSEC secured DNS the TLSA record holds the full certificate (or a hash of the certificate) which can be verified against the certificate presented by the receiving mail server MTA-DANE is standardised in RFC 7672 (Oct 2015) 22
  • 23. © Men & Mice http://menandmice.com MTA-DANE 23 sending MTA sending MUA DNSSEC resolver auth DNS receiving MTA mail delivered to MTA
  • 24. © Men & Mice http://menandmice.com MTA-DANE 24 sending MTA sending MUA DNSSEC resolver auth DNS receiving MTA MTA requests TLSA record _25._tcp.mail01.example.com. TLSA _25._tcp.mail01.example.com. TLSA 3 1 1 (
 BDC6A9F8312BF24C81D[..]387A147 ) validate DNSSEC chain of trust
  • 25. © Men & Mice http://menandmice.com MTA-DANE 25 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA STARTTLS SMTP session validate x509 certificate against TLSA cert/hash
  • 26. © Men & Mice http://menandmice.com MTA-DANE 26 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA deliver mail
  • 27. © Men & Mice http://menandmice.com DANE success stories Cloudmark will support MTA-DANE in the upcoming release 5.2 Cloudmark has about 12% global market share (20% of mobile accounts) in the email business 27 https://blog.cloudmark.com/2017/03/27/dane-and-email-security/
  • 28. © Men & Mice http://menandmice.com DANE success stories large German mail service provider (web.de/gmx.de/1&1) support MTA-DANE over 50% market 
 share in Germany 28 https://de.slideshare.net/GMX_Deutschland/e-mailstudie-2015-deutsche-anbieter-bevorzugt https://www.heise.de/newsticker/meldung/Abhoersicherheit-Web-de-sichert-Mail-Transport-zusaetzlich-per-DANE-ab-3175333.html
  • 29. © Men & Mice http://menandmice.com DANE success stories the Dutch government requests MTA-DANE from government agencies 29 https://www.ncsc.nl/english/current-topics/news/ncsc-publishes-factsheet-secure-the-connections-of-mail-servers.html
  • 30. © Men & Mice http://menandmice.com DANE success stories German "Federal Office for Information Security" requires MTA-DANE for "secure e-mail" certification 30 https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03108/TR03108-1.pdf
  • 31. © Men & Mice http://menandmice.com Comparing 
 MTA-STS vs. MTA-DANE 31
  • 32. © Men & Mice http://menandmice.com MTA-STS vs. MTA-DANE MTA-STS does not require DNSSEC (but it is recommended) MTA-STS defines a policy cache MTA-STS requires x509 certificates that validate against a root-CA-certificate (no "self-signed" certs) MTA-STS requires a HTTPS server to serve the policy JSON document MTA-STS requires validation of the HTTPS connection to fetch the policy document 32
  • 33. © Men & Mice http://menandmice.com MTA-STS vs. MTA-DANE MTA-DANE does require DNSSEC MTA-DANE has no policy cache (but the TTL on TLSA records can work as such) MTA-DANE allows "self-signed" certificates MTA-DANE policy can be changed by switching the TLSA- record in DNS MTA-DANE TLS-cert rollover need to be in sync with TLSA record(s) MTA-DANE relies on the trust on the DNSSEC chain 33
  • 34. © Men & Mice http://menandmice.com SMTP TLS Reporting draft-ietf-uta-smtp-tlsrpt 34
  • 35. © Men & Mice http://menandmice.com SMTP TLS reporting SMTP TLS reporting defines a protocol to signal a reporting channel about SMTP encryption failures the sending MTA can report issues with TLS encryption to the receiving MTA operator SMTP TLS reporting can be used with MTA-STS and MTA-DANE Reports include: •MITM attacks (certification mismatch) •expired certificates •server not answering •certificate not validating against Root-CA •… 35 https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt
  • 36. © Men & Mice http://menandmice.com SMTP TLS reporting the administrator of a mail domain publishes the reporting policy as a TXT-record in DNS using the "well-known" subdomain "_smtp-tlsrpt" inside the mail domain Example (SMTP-Report):
 
 
 Example (HTTP-Report): 36 https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt _smtp-tlsrpt.example.com. IN TXT "v=TLSRPTv1;rua=mailto:reports@example.com" _smtp-tlsrpt.example.com. IN TXT "v=TLSRPTv1; rua=https://reporting.example.com/v1/tlsrpt"
  • 37. © Men & Mice http://menandmice.com SMTP TLS reporting 37 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA STARTTLS SMTP session x509 certificate fails to validate against TLSA cert/hash
  • 38. © Men & Mice http://menandmice.com SMTP TLS reporting 38 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA MTA requests _smtp-tlsrpt TXT record _smtp-tlsrpt.example.com. TXT _smtp-tlsrpt.example.com. IN TXT "v=TLSRPTv1;rua=mailto:reports@example.com"
  • 39. © Men & Mice http://menandmice.com SMTP TLS reporting 39 sending MTA sending MUA DNS(SEC) resolver auth DNS receiving MTA deliver report mail
  • 40. © Men & Mice http://menandmice.com SMTP TLS reporting Example JSON-Report 40 https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt { "organization-name": "Company-X", "date-range": { "start-datetime": "2016-04-01T00:00:00Z", "end-datetime": "2016-04-01T23:59:59Z" }, "contact-info": "sts-reporting@company-x.com", "report-id": "5065427c-23d3-47ca-b6e0-946ea0e8c4be", "policy": { "policy-type": "sts", "policy-string": "{ "version": "STSv1","mode": "report", "mx": ["*.example.com"], "max_age": 86400 }", "policy-domain": "company-y.com", "mx-host": "*.mail.company-y.com" }, "summary": { "success-aggregate": 5326, "failure-aggregate": 303 } "failure-details": [{ "result-type": "certificate-expired", "sending-mta-ip": "98.136.216.25", "receiving-mx-hostname": "mx1.mail.company-y.com", "session-count": 100 }, { "result-type": "starttls-not-supported", "sending-mta-ip": "98.22.33.99", "receiving-mx-hostname": "mx2.mail.company-y.com", "session-count": 200, "additional-information": "hxxps://reports.company-x.com/report_info?id=5065427c-23d3#StarttlsNotSupported" }] } reporting company report time- range 
 (24 hours) contact information used policy report summary failure details
  • 41. © Men & Mice http://menandmice.com Next 41
  • 42. © Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction to DNS & BIND Hands-On Class •September 18 – 20, 2017 (Zurich, Switzerland) 42 https://www.menandmice.com/training/
  • 43. © Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction & Advanced DNS and BIND Topics Hands-On Class •September 18 – 22, 2017 (Zurich, Switzerland) 43 https://www.menandmice.com/training/
  • 44. © Men & Mice http://menandmice.com Men & Mice DNS Training •DNS & BIND (German Language) •May 22 – 24, 2017, Essen, DE •DNSSEC and DANE (German Language) •December 4-12, 2017, Essen, DE 44 http://linuxhotel.de/
  • 45. © Men & Mice http://menandmice.com our next webinar 
 Certification Authority Authorization Record The CAA Record (Certification Authority Authorization) is used to signal which certification authority (CA) is allowed to issue x509 certificates for a given domain. CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames. Starting from September 2017, certificate issuing CA must support the CAA record. We will explain the CAA record, how it works, how to enter CAA into a zone and how certification authorities are about to use the record. Join us for a 45 minutes webinar with a Q&A session at the end, on Thursday, May 18th, 2017 at 5:00 PM CEST/ 3:00 PM GMT/ 11:00 AM EDT / 8:00 AM PDT. 45
  • 46. © Men & Mice http://menandmice.com Thank you! Questions? Comments? 46