Use DANE, MTA-STS, TLSA, CCA (to restrict how certs can be issued to your domain, restrict the LetsEncrypt account, method, etc), host your own DNS and manage DNSSEC yourself.
Le dim. 22 oct. 2023 à 11:20, Slavko via mailop <mailop@mailop.org> a écrit : > Hi all, > > while not directly about email, recently was published details > about success MiTM attack against XMPP server, the attacker > was able to decrypt TLS communication without notice (from > both sides, the server and client) and was success for at least > three months, see > > https://notes.valdikss.org.ru/jabber.ru-mitm/ > > In short: The attacker used valid LE certificate (requested by > self) to intercept traffic. The victims was services hosted on > Hetzner and Linode and it seems as Germany government's > action (not confirmed, but if true, it will never be). > > IMO, that attack can be success on any TLS service (including > email) and for any place (clouds, own, ...), thus it is worth to be > aware of it, as your service can be not as private as one can > think. > > regards > > -- > Slavko > https://www.slavino.sk/ > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
