On 04/27/2016 01:21 AM, Brandon Vincent wrote:
On Wed, Apr 27, 2016 at 1:10 AM, Rob Kampen <rkampen@xxxxxxxxxxxxxxxxx> wrote:
Sounds good, but how many domain MX servers have set up these fingerprint
keys - 1%, maybe 2%, so how do you code for that? I guess I'm thinking it
uses it if available. So even if you do post it on your DNS, how many
clients out there are using DANE on their set up? By the time it becomes
more than a tiny % and generally useful, it will be in CentOS 8. It also
requires certificates to be implemented more ubiquitously than at present -
although we do now have affordable solutions, so this one may resolve more
quickly.
I hope my prior comments weren't too off topic but a lot of people
don't seem to understand the purpose for an enterprise distribution.
DANE is a perfect example of this. Go poll the SMTP servers for any
company on the S&P 500 and I can almost guarantee that 99.9% of them
will not have TLSA records for DANE. It's a new/emerging technology.
The same is true with DNSSEC (which is actually quite old).
Last poll I saw, 2% of the top 500 did in fact have DNSSEC.
TLSA is just a record like any other DNS record, it is just meaningless
without DNSSEC.
Enterprises are typically behind in the technology they adopt.
Stability and reliability are paramount. This is where RHEL and CentOS
come in.
Stability though should not come at the cost of halting progress.
Security and Privacy on the Internet are both severely broken.
If you read the white papers from when the Internet was first being
designed, security was rarely even mentioned.
Look at how many "secure" web servers still use SSLv2 and SSLv3 - this
is because the "stable" Enterprise UNIX distributions were slow to progress.
DNS is a severely insecure system, and so is SMTP.
Hell - security of SMTP is so sloppy that quite often, the TLS
certificate doesn't even match the hostname.
Cipher suites that we know to be insecure are often still supported by
mail servers because they take the flawed attitude that weak ciphers are
better than plain and the opportunistic nature of SMTP allows for plain.
It was that same mindset that resulted in a lot of mail servers
supporting SSLv2 resulting in capture of the private key in DROWN attack.
When it comes to security, we can't be stale. We have to progress
because what we currently have is not good enough.
We need to embrace DNSSEC and we need to promote DNSSEC. Trust is easy
to exploit, DNSSEC provides a means to verify so that trust is not needed.
Using "enterprise" as an excuse to not move forward with security
progress is just plain foolish.
Enterprise or not, DNSSEC should be a top priority to deploy in your DNS
zone.
Enterprise or not, if you run a mail server, you really need to publish
an accurate TLSA record for TCP port 25 of your MX mail servers.
Enterprise or not, your mail servers should look for a TLSA record on
port 25 of the receiving server, and if found, only connect to that
server if the connection is secure and the TLS certificate matches the
TLSA record.
The Internet is broken security-wise, and a big part of the solution is
available now and free to deploy.
If that means upgrading software in an "Enterprise" distribution, then
that's what you do.
It's called taking responsibility for the security and privacy of your
users. It's called using intelligence. It's called doing the job right.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos