Posteo supports DANE/TLSA
Created at 12.May 2014, 08:45 | Category: Info
Dear Posteo users,
From today onwards, we support the innovative technology DANE/TLSA (DNS-based Authentication of Named Entities). DANE eliminates various weaknesses in the widely-used transport route encryption SSL/TLS – and increases the security of encrypted transport of emails and when accessing websites.
With DANE, the so-called “digital fingerprints” of an encryption certificate are stored in the internet’s “telephone book” (DNS). There they can be automatically checked by email servers, email programs and browsers before an encrypted connection to a website is established or an email is delivered. The authenticity of a server can thereby be verified before each connection. Until now, most servers sent data over an encrypted connection without first verifying the authenticity of the other server. DANE effectively prevents third parties (such as criminals or intelligence agencies) from pretending to be a particular web or email server in order to obtain login data or content (using a falsified certificate).
Entries in the internet’s so-called “telephone book” are additionally secured with DNSSEC technology, such that DANE can be trusted. DNSSEC prevents third parties from altering entries and switching the “digital fingerprints” of the encryption certificates. Unfortunately, DNSSEC is not yet supported by most domain providers. Posteo had to change its domain provider in order to introduce DANE.
DANE also opens possibilities on another level: Email servers can now force a connection to be encrypted with the help of a DANE entry. Previously, email servers would negotiate whether they could support encryption before establishing the connection. Posteo has already configured its server for this: If other email providers also have a DANE entry, then Posteo sends to their servers with encrypted connections. If no encrypted connection can be achieved, then email sending will be cancelled for security reasons. This not only prevents man-in-the-middle attacks, but is also important for the following reason: With DANE, email servers can clearly authenticate themselves worldwide – and mutually guarantee that emails are always exchanged over an encrypted connection. This is not the case, for example, with “Email Made in Germany”, a group of a few German providers that leaves out all other email servers and only promises its users encrypted connections between each other. Posteo rejects such “partitioning” of some German providers: A global network requires global improvements to the security of communication via consistent, open standards.
Because the technology is not yet widespread, there are currently hardly any other programs or providers who support DANE. Despite this, we want to lead by example, and promote the spread of this important process – DANE will, in the future, make an essential contribution to making the internet safer.
There are already DANE add-ons for all current browsers, with which internet users can secure their access to Posteo using DANE. Via this link, you can find a list of all currently available extensions. We can not provide any support for add-ons or tools. We appreciate your understanding.
The technology is, however, not yet directly implemented in any browser. We hope that the developers of DANE and DNSSEC will achieve this as soon as possible. We also encourage other email providers to implement DANE, so that communication between email servers over encrypted connections becomes more secure worldwide.
Best regards,
The Posteo team