Daniel Micay on Twitter: "@RichFelker They're barely even dogfooding MTA-STS: https://t.co/6Lr86QVU05 They still have only 1 day expiry so if your server doesn't connect to them for 24h, the enforcement will stop working. An attacker able to block the connections for 24h could bypass the MTA-STS authentication." / Twitter

MTA-STS was purely a move to sabotage effort to deploy DANE based onom some weird internal Google 💩. A 90s-era-MS clowncar.

Quote Tweet

Daniel Micay

@DanielMicay

Aug 16, 2021

They could easily add TLSA records for those and have proper authenticated encryption instead of the weak security offered by MTA-STS. MTA-STS is WebPKI sans CT with insecure connections by default and no equivalent to HSTS preloading. Not even easier than DANE. It's harder...

Show this thread

1

Daniel Micay

@DanielMicay

Replying to

@RichFelker

They're barely even dogfooding MTA-STS: mta-sts.gmail.com/.well-known/mt They still have only 1 day expiry so if your server doesn't connect to them for 24h, the enforcement will stop working. An attacker able to block the connections for 24h could bypass the MTA-STS authentication.

1:04 PM · Aug 16, 2021Twitter Web App

Conversation