Follow

@Gargron
Would it be possible for Mastodon to implement DANE-verification against other instances?
It would a neat security feature

ยท ยท Web ยท 4 ยท 4 ยท 4

@Gargron

"It would be a neat security feature"

My spelling is lacking, usually after lunch

@selea @Gargron

I once proposed it for Matrix Synapse but it was met with... not much excitement to put that lightly :)

@kravietz @selea Can you elaborate on what you want from that feature and how you imagine it working?

@Gargron @selea

On each attempt to connect to a federated instance:

1) check presence of TLSA record in DNS for _xxx._tcp.host.example.com where _xxx is the target port number used by Mastodon/Matrix
2) get the hash from the TLSA record
3) when TLS connection is established, verify the TLSA hash against the certificate actually received

Details en.wikipedia.org/wiki/DNS-base

@Gargron @selea

Oh and 0) check if DNS response is DNSSEC-authenticated

For Synapse I can actually come up with a PR as it's Python, not sure about Mastodon.

@kravietz

For me, it sounds really strange that you got that reaction. It sounds like the next logical step to take for synapse!

Also, I would love if the @nextcloud client would support it aswell!

@kravietz did explain it very well, so I do feel that I do not need to explain it further :)

@Gargron

@selea @Gargron hmm, I feel like this might make federation slower due to added DNS lookups without adding any real security

I feel like someone getting into my DNS hosting settings would be the way to intercept connections to my instance

@ben

Would not it not add security?
I dont think that it would slow down federation, because it would not make sense to do a lookup every single time, but instead do it once every hour or when the TTL runs out.

If you are worrying about your DNS-hosting, then you should probably consider to change.

@Gargron

@selea @Gargron I'm not worried about my DNS being hijacked, but it is the single point most likely to be possible to hijacked in my specific situation

@ben

People still implement DKIM, SPF and other verification methods, and they dont skip it because of it is likely to be hijacked.

Yes, that could be something that could happend, but that is not a reason to invalidate DANE

@Gargron

@selea @Gargron I just don't see it as adding any security in this case

the HTTP signatures kind of hold the same role as DKIM in the case of the fediverse

@ben

> the HTTP signatures kind of hold the same role as DKIM in the case of the fediverse

Ah that's true, I get your point.

@Gargron

Sign in to participate in the conversation
Linux.Pizza

A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - Welcome!