SecuMail-Blog

  1. Home
  2. Uncategorized
  3. SecuMail® secures e-mail transmission with DANE

SecuMail® secures e-mail transmission with DANE

11. July 2016
By

A modern technique for additional protection of TLS-secured services such as SMTP or HTTP is:
DANE (DNS-based Authentication of Named Entities)

Why?
DANE helps to remedy the old and known weaknesses of the widespread TLS security by enabling a secure procedure for validating SSL keys regardless of the trustworthiness of a certificate authority. This is necessary because each CA is to be considered a single point of failure. If it is compromised, then all security measures based on the issued certificates are useless. However, the user has no influence on the security of his certificate authority, nor on its information policy in the event of a relevant problem.

DANE screenshot

Compare us with your email provider: one click is all it takes:
Security Validation for Mail Servers

 

How does DANE work?
Technically, DANE works as follows: the fingerprints of the server certificates are provided via DNS, which can be retrieved by any client. This can then be compared with the certificate transmitted during the TLS handshake to ensure that the latter really comes from the operator of the server service and is not a forgery. This authenticates the certificate and prevents so-called “man in the middle attacks”, for example. In principle, this works in the same way with self-issued certificates.

DNSSEC?
In order for the fingerprints transmitted via DNS to be a security gain at all, DNSSEC must be used here, as normal DNS is too easy for attackers to manipulate. The domain of the server service must therefore be located on a DNSSEC-capable server/hoster that provides the fingerprint of the TLS service to be protected with DANE in a so-called TLSA record. In principle, DANE can be used to protect any protocol that works with TLS. On the server side, only the TLSA record has to be entered in the DNS(-SEC), while the client has to actively perform the DANE check.

Who?
Due to the manageable spread of DNSSEC to date, this aspect is usually the most difficult when introducing DANE. WorNet customers are in luck, because our DNS servers are now equipped with DNSSEC, as described in this blog article . As things stand at present, only a few web browsers and mail servers support DANE. Improvement usually comes with further spread. In August 2015, Heise reported on the decision of the providers around the initiative E-Mail made in Germany, which includes well-known brands such as web.de and GMX, to introduce DANE into their systems. Although DANE was introduced, encryption seems to have only really been pushed forward in the circle of “e-mail made in Germany” certified providers. SecuMail® , on the other hand, is happy to encrypt for all e-mail participants.

Concrete?
In principle, the technology can be used to protect any protocol that works with TLS. On the server side, only the TLSA record has to be entered in the DNS(-SEC), while the client has to actively perform the DANE check.
Our spam filter SecuMail® – i.e. the MX servers (mx-a.secumail.de and mx-b.secumail.de) – is already equipped with both DNSSEC and the valid TLSA record. This means that every mail server that sends e-mails to our SecuMail® customers automatically benefits from the additional verification of the TLS certificates, provided that DANE is activated there.

Other measures to maintain security when transmitting e-mails:

  • Disabling SSLv3
  • Perfect Forward Secrecy (PFS)
  • Use trusted certificates (additionally DANE and DNSSEC secured)
  • Do not use encryption algorithms that are considered vulnerable
  • Use targeted enforced TLS
  • Validate certificates of the target servers and, if necessary, prevent forwarding

Can DANE also secure your e-mail system?
Ask us about e-mail security: 08171-2469120 / support@secumail.de

Hannes Wilhelm

IT remains exciting!

Left:

http://www.heise.de/netze/artikel/Transitschutz-DNSSEC-und-DANE-auf-Linux-Servern-konfigurieren-2636175.html
http://www.heise.de/netze/artikel/DNSSEC-und-DANE-Hilfestellung-zur-Mail-Verschluesselung-2619026.html
https://sys4.de/de/blog/2014/05/24/einen-tlsa-record-fuer-dane-mit-bind-9-publizieren/
https://de.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
https://de.ssl-tools.net/bullshit-germany
https://de.ssl-tools.net/mailservers/secumail.de
https://www.secumail.de

 

 

 

 

Tags:
GDPR Cookie Consent with Real Cookie Banner