As of May 2014, Posteo has implemented innovative DANE/TLSA technology (DNS-based Authentication of Named Entities). DANE eliminates various weaknesses in widely-used SSL/TLS transport route encryption – thus increasing the security of encrypted transport of emails and when accessing websites.
For Posteo, DANE encryption occurs in the background – you don’t need to do anything.
With DANE, the so-called “digital fingerprints” of an encryption certificate are lodged in the internet’s “telephone book” (DNS). There, they can be automatically checked by email servers, email programs and browsers before an encrypted connection to a website is established or an email is sent. This allows the validity of a server to be verified before each connection is established. Until now, most servers sent data over an encrypted connection before first verifying the validity of the other server. DANE effectively prevents third parties (such as criminals or intelligence agencies) from pretending to be a particular web or email server in order to obtain access information or content (with falsified certificates).
Entries in the internet’s “telephone book” are additionally secured with DNSSEC technology, so that DANE can be trusted. DNSSEC prevents third parties from altering entries or switching the “digital fingerprints” for the encryption certificates. Unfortunately, DNSSEC is not supported by most domain providers. Before introducing DANE, Posteo needed to change its domain provider.
Encrypted connections enforced
DANE also creates possibilities on other levels: Email servers can now enforce encrypted connections with the help of a DANE entry. Previously, before establishing a connection, email servers would negotiate with one another as to whether both partners could support an encrypted connection. Posteo has already configured its servers such that if other email providers also have a DANE entry, Posteo will only communicate with them over encrypted connections. If no encrypted connection can be established, sending of the email will be cancelled for security reasons. This prevents man-in-the-middle attacks, among other things.
An open, globally applicable alternative to the “Email made in Germany” initiative
The process is also important for the following reason: DANE allows email servers worldwide to clearly authenticate themselves – and mutually guarantee that emails are always sent over encrypted connections. This is different, for example, to “Email made in Germany”, a group of a few German providers, that leaves all other email servers out and promises its users encrypted connections only between each other. Posteo rejects this partitioning of some German email providers: A global network requires global improvements to the security of communication via consistent, open standards.
Because the technology is not yet widespread, there are currently hardly any programs or other providers who support DANE. Therefore, we want to lead by example, to promote the spread of this important process – DANE will in future essentially contribute to making communication via the internet more secure again.
There is already a DANE add-on for all current browsers with which internet users can secure their access to Posteo with DANE. On the following websites you will find a list of all available extensions. Please note, we can not provide support for add-ons or tools.
The technology is, however, not yet implemented in any browser. We hope that the creators of DANE and DNSSEC will soon alleviate this. We would also like to encourage other email providers to implement DANE, so that communication over encrypted connections between email servers becomes more secure worldwide.
External reports (in German) on our introduction of DANE
Heise.de: Verschlüsselter Mail-Transport: Posteo setzt als erster Provider DANE ein
Spiegel-Online: E-Mail-Transport: Posteo unterstützt Verschlüsselungstechnik DANE