On Mon, Sep 20, 2021 at 09:13:11PM +0200, exim-users--- via Exim-users wrote:
> > This is where our priorities differ. Barring a practical downgrade
> > attack on SMTP STARTTLS made possible by keeping TLS 1.0 enabled, I
> > see little reason yet to force the remaining TLS 1.0 to use cleartext.
> > (Yes I'm aware of past cross-protocol attacks, see the author list of
> > DROWN: <https://drownattack.com/drown-attack-paper.pdf>)
>
> Kudos, real nice paper.
For the record, my contribution was small, I observed that the
RC4 part of the attack was substantially more effective in the
presence of another bug, that was fixed less than a year back
at the time, and likely not universally deployed.
The real hard work was by Nimrod Aviram and others. So not claim
credit, so much as note that I'm familiar with the existence of
potential cross-protocol issues.
> Anyway, as you wrote in another mail, main attack would be stripping STARTTLS
> before the connection is encrypted. I currently see no real widely used extension
> to address that. TLSA records and DANE are not implemented widely, MTA-STS
> probably even less wide.
DANE is yet at "widely used" but adoption of both DNSSEC and DANE is
growing steadily.
https://stats.dnssec-tools.org/
MTA-STS is pretty much just Google. Well also mail.ru and comcast.net
(who also do DANE).
If you care about SMTP transport security, do DANE, but make sure you
implement monitoring and a robust key rollover process. Just turning
DANE on and neglecting it does nobody any good.
--
Viktor.