Conversation

TIL havedane.net. Check your mail system's outgoing validation (whether it can be MITM'd).

Rich Felker

@RichFelker

Apr 7, 2020

If only it had a hall of shame for senders that deliver to wrong...

@WhatSecurity

Apr 7, 2020

Replying to

@RichFelker

By all means, build a tool that does this. Instructions and code are linked at the bottom. This tool doesn't, because that would make it less useful as a tool (i.e. knowing where you stand without social risk).

Replying to

and

To clarify: I think both are useful (with & without the HoS). I built one. I'll be glad to see the other built as well.

Replying to

and

I think the use would primarily be users checking if their mail providers are secure. As a nice example, ProtonMail claims to support DANE but someone in #grapheneos tested with havedane.net and ProtonMail happily delivered a message to wrong.havedane.net...

Replying to

and

It would also be nice to have a 4th test using a domain with a valid DANE record but without DNSSEC. It's possible to enable DANE verification without DNSSEC, at least with Postfix, and ideally that kind of misconfiguration would be detected.

12:48 PM · Apr 7, 2020Twitter Web App

Replying to

and

While it's a misconfiguration per the standards, it's still far better than not having DANE at all. MITM then requires ability to intercept both connection and DNS channel.

Replying to

and

Yeah, it's so easy to just build it with DNSSEC support and turn on a single additional option though. I think it would be pretty easy to accidentally enable DANE support without turning on DNSSEC. Both should really be enabled by default, since it doesn't break compatibility.

Show replies

Replying to

and

A few years ago,

listed several such additional testing possibilities on the dane-users mailing list: mail.sys4.de/pipermail/dane. They seem useful (as does your suggestion), and I encourage anyone who's willing to invest more than a few hours to build such a test.

Replying to

(But I'm not that person 😊)

Replying to

and

Postfix supports "half-dane" where the domain is not signed, but the MX hosts are in a signed domain, that has TLSA RRs. This is of course still vulnerable to MiTM, but tamper-evident since the fake MX host is logged. There is no support in Postfix for DANE via unsigned MX hosts.

Replying to

and

Does Postfix insist on doing its own DNSSEC validation? If you outsource it I don't see how it makes the distinction.