Something something DANE cook: Microsoft pledges to wrap its email systems in secure anti-snooping protocol

Office 365 will finally get DNSSEC-based protection later this year


Microsoft will add DNS-based Authentication of Named Entities (DANE) and DNSSEC to its email systems by the end of the year, the software giant has pledged.

“Today we are announcing that Exchange Online will be adding support for two new Internet standards specific to SMTP traffic," Microsoft's Exchange Transport Team said in a blog post this week. "These standards are DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based Authentication of Named Entities)."

The DANE protocol has been floated for nearly ten years. The German government mandated its use in 2016, for instance. Take-up, however, has been slow in much the same way the related DNSSEC protocol has taken a long time to take hold.

Implementing the protocol requires a significant investment of time and effort, not least because a misconfiguration can cause it to fail. Microsoft noted that adding DANE “will require investment and architecture changes to the Microsoft infrastructure.” It decided this effort is worth it, though, largely because existing protocols aren’t sufficiently secure. The ubiquitous SMTP email protocol “was designed a long time ago, when message delivery was considered more important than security,” the Microsoft team noted.

rugby

Salesforce takes the multi-signer DNSSEC ball and runs with it

READ MORE

SMTP is not secure, and while SMTP over TLS offers additional security through encryption, it is still potentially vulnerable: an eavesdropper on the network path can insert a server between you and the SMTP server you wish to reach, with this in-between machine masquerading as the legit service and presenting its own TLS encryption certificate. This man-in-the-middle snooper can inspect the content of messages as they flow from you, through this malicious middle node, to the desired destination. You may think your software is communicating securely with the genuine SMTP server, but it is in fact communicating with the fake.

DANE, however, allows email systems to use TLSA DNS resource records to determine an SMTP server is genuine before sending any message data. These resource records specify what a particular SMTP server's TLS certificate should look like. When connecting to, for example, mail.example.com, the DNS records for that domain name will define aspects of that server's TLS certificate, such as a hash value that acts as a fingerprint of the certificate.

If someone tries to man-in-the-middle your connection by impersonating the SMTP server, the TLS certificate it presents won't match the specifications in the server's domain name's DNS records, and thus the connection should be abandoned.

Here's Microsoft’s explanation: “DANE uses the presence of DNS TLSA resource records to securely signal TLS support to ensure sending servers can successfully authenticate legitimate receiving email servers. This makes the secure connection resistant to downgrade and MITM attacks.”

To the point: it’s secure email, and Microsoft will add it to Office 365 Exchange Online.

Two phases

Highlighting the difficulty of deploying DANE across a large system, the Windows giant will roll it out in two phases. The first phase, to be completed by the end of 2020, will cover outbound email, and then the IT titan is giving itself another year, to the end of 2021, to cover inbound email.

The announcement was met with something bordering close to joy by DANE advocates. “Welcome to the DANE SMTP community, congratulations and thanks,” said Viktor Dukhovni, who helped develop the protocol and has been pushing for its adoption for years.

“If this comes to pass, we'll all owe Viktor a beer,” commented internet veteran Paul Vixie. “I can't easily describe what this could mean for the future of internet security. Real [life] security, not the theatrical kind. Viktor had been almost like a one-man band on this.”

Although there are quite a few email providers that offer DANE – Comcast perhaps being the largest – the addition of Microsoft to the list could prove to be a tipping point for the industry. As ever with DNS protocols, it is a slow-moving process because there’s little point in adopting a new protocol until everyone else has – a chicken-and-egg situation.

DANE rides on top of DNSSEC and requires domains to be DNSSEC-signed to work. Fortunately more and more domains do include DNSSEC records, though another problem is deciding what to do with emails to and from domains that aren’t signed. And then there are the endless misconfigurations that exist everywhere on the network.

With a giant like Microsoft saying it will adopt DANE, it provides an impetus to others to also take the jump and sign their domains as well as check their configurations. ®

Broader topics


Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022