On Wed, Apr 06, 2016 at 11:13:17PM +0000, Orit Levin (CELA) wrote:
> For those who didn't attend the irtfopen session on Tue, I recommend viewing
> the recording at
> https://www.youtube.com/watch?v=36WDbfKEIRI.
>
> The talk relevant to UTA starts at min 22. It provides a great intro to
> the challenges around using email with TLS.
While the talk was interesting and provides useful background it
is also somewhat misleading.
* Firstly it compares SMTP security with HTTPS, but the right
comparison is with the Web, whether HTTP or HTTPS, not just
the "secure" Web. What fraction of HTTP sites visited by users
are HTTPS with valid certificates?
I certainly find many HTTP-only sites, even sites of major
server hardware vendors that provide firmware and software
updates are HTTP-only, or routinely serve HTTP links from
from HTTPS pages even if they support both.
The state of SMTP transport security is not nearly as dire as
presented. Yes, the "secure" portion of SMTP is typically only
secure against passive attacks, but in practice more of the
traffic may be at least somewhat protected than with HTTP.
Opportunistic security *is* easier to deploy.
* The dismissal of DANE in the Q&A is either disingenuous or
naive. Yes, DNSSEC adoption is low (around 2% of domains in
my survey), but it is not *zero* as with STS.
Just as DANE requires adoption of new software (DANE capable
MTAs, and DNSSEC validating resolvers), so would STS require
adoption of new capabilities in client MTAs.
DANE software is already available in Postfix and Exim, and in
May will become part of the stable OpenSSL 1.1.0 release. I've
identified 11.7k domains with working DANE (out of an estimated
100k similar domains that don't always appear on lists such as
the Alexa 1M, which is not a particularly relevant list for
email).
Whether the solution is STS, DANE or both, neither will happen
overnight. I estimate broad adoption of STS not much earlier than
circa 2020--2022. In the same timeframe, the large providers could
likely implement DNSSEC and DANE.
Adoption of STS may be faster on the server side at the large
providers, but client-side adoption of STS outside that set of
providers will take longer than it would for DANE, because there
is neither a stable specification, nor even experimental code in
the various open-source MTAs.
The following "well-known" domains (based on a current listing at
Google's email transparency report) support DANE on the server
side:
registro.br
mail.com
mzk.cz
bund.de
jpberlin.de
lrz.de
posteo.de
unitymedia.de
octopuce.fr
comcast.net
t-2.net
xs4all.net
xs4all.nl
debian.org
freebsd.org
gentoo.org
ietf.org
netbsd.org
openssl.org
samba.org
torproject.org
if we include domains that appeared in that report in the past,
the list grows to include:
travelbirdbelgie.be
mailous.com
societe.com
t-2.com
gohost.cz
bayern.de
ish.de
kabelmail.de
ruhr-uni-bochum.de
tum.de
unitybox.de
lepartidegauche.fr
dd24.net
rrpproxy.net
xworks.net
aanbodpagina.nl
jasperalblas.nl
mijngastouderburo.nl
steffann.nl
isc.org
I've identified > 11700 additional domains, but most are too small
to account for a noticeable fraction of most senders' email.
[ Even my domain is not listed, despite my best efforts to
flood the ietf lists with my comments. :-) ]
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
