Dear readers of the debain-security mailing list
I have recently described on how to set up a secure emailing terminal
at https://www.elstel.org/DANE/. Since then I have got dozens of replies
from people who said that they did not receive my emails before, not
even in the spam folder. There are only two people whom I could still
not reach. One of them is Patrick Schleizer. He normally always responds
to me but I know he is reading debian-security and that is why I have
decided to write you today. The email was on how easy it is to enable
DANE for a custom domain: enable DNSSEC and provide a TLSA record. The
other contact is Claudio Guarnieri. He also works in a security related
context. He appears not to have received my emails though I sent out the
same email a dozen of times.
Yours Sincerely,
Elmar Stellnberger
Originalnachricht
Betreff: Re: whonix.org DNSSEC/DANE
Datum: 08.03.2020 07:55
Von: estel...@elstel.org
An: Patrick Schleizer
Am 29.12.2019 10:43, schrieb Elmar Stellnberger:
Hallo Patrick
Also wenn deine Domain DNSSEC unterstützt, dann ist DANE Support
watscheneinfach zu haben:
https://ssl-tools.net/tlsa-generator
Ich verwende immer DANE-EE & Use full certificate. Das ist auf der
Kommandozeile am einfachsten zu überprüfen. Mein TLSA Eintrag sieht
dann folgendermaßen aus:
$ drill m.root-servers.net +trusted-key=/usr/share/dns/root.key
+topdown +sigchase TLSA _443._tcp.elstel.org | egrep -v "^$|^;"
_443._tcp.elstel.org. 19819 IN TLSA3 0 1
a8edf0cacaf776acacdfe53564c51556ad325f03a369e4c8f4622b4dc5b06865
siehe auch:
https://www.iana.org/assignments/dane-parameters/dane-parameters.xhtml
so geht es auch:
dig @$dns +trusted-key=/usr/share/dns/root.key +topdown +sigchase TLSA
_443._tcp.$1
Gutes neues Jahr und schöne verbleibende Festtage wünscht Dir
Elmar
Am 02.09.19 um 15:55 schrieb Patrick Schleizer:
Elmar Stellnberger:
P.S.: Wie sieht es mit der Unterstützung von DANE auf whonix.org
aus?
Ich habe gesehen, daß Domain-Provider wie inwx.de inzwischen schon
DNSSEC/DANE unterstützen.
DNSSEC sieht gut aus.
https://dnssec-debugger.verisignlabs.com/whonix.org
DANE: noch nicht
Generell:
https://www.whonix.org/wiki/Privacy_Policy_Technical_Details
Naja, ist halt ein Hetzner Server. Nichts gegen Hetzner, aber viel
Sicherheit kann man heutzutage von keinem Serveranbieter erwarten.
Originalnachricht
Betreff: Re: analysis of a complete rootkit
Datum: 08.03.2020 07:54
Von: estel...@elstel.org
An: Nex
Dear Claudio Guarnieri
I just wanted to ask you whether you know about the current mass
surveillance plaintiff against the BND? The EFF has said it could even
become a legal precedent for US law. As you care about the analysis of
rootkits I thought you could be interested. Please respond shortly to my
email so that I will know whether you have received it. I have sent you
this email now a dozen of times without getting a reply. Please look at
https://www.elstel.org/DANE/ and https://www.elstle.org/atea/ and on the
message I will post on debian-security in some time on how to get a
secure emailing client. You are one of two contacts who does not
respond. All others (dozens) have responded me since I have secure DANE
emailing.
Best Regards,
Elmar
