Implement DANE for added security and privacy
DANE (DNSSEC) would be hugely beneficial to the security and privacy of ProtonMail. DANE makes Man-in-the-Middle attacks practically impossible.
This is a necessary addition and should certainly be prioritized over-all, as it is at the core of what ProtonMail represents: privacy and security.
It's currently a feature available over at Tutanota (https://tutanota.com) and definitely sets it apart as an arguably more secure option, here's a great read on the topic: https://tutanota.com/blog/posts/dane-everywhere
-
John Connett commented
A publicly visible DNS service with encrypted access, DNSSEC and DANE would be very useful. Using ProtonMail name servers rather than the default ones provided by my domain provider would close a potential security hole.
-
Nathan Lecompte commented
Awesome! Seems like DANE is already up and running: https://www.hardenize.com/report/protonmail.ch/1567954560#email_dane
Can't wait for version 4.0 - props to the ProtonMail team for valuing community input!
-
Anonymous commented
Yes! This is exactly what is needed next.
-
AdminProton (Admin, Proton) commented
HI! Thanks for the suggestion. It will happen after our domain/DNS code refactor.
-
Nathan Lecompte commented
@Wil they do have DNSSEC setup but they do NOT seem to be using DANE. This tool gives a neat overview of the supported security standards by their mail server(s) at the present time: https://www.hardenize.com/report/protonmail.ch/1550539314#email_dane
-
Wil commented
Someone should update the status of this, looks to me like they're running DNSSEC currently.
-
[Deleted User] commented
Small update: Mailbox.org seems to have added **** support as well.
-
Jeremy commented
Yeah, it's long overdue that Protonmail implements DANE. As you said Tutanota offer's it and so does Posteo. Both have had it for about 4 years now. More email providers need to get to work and add this, especially if your one that care's anything about secure email.
-
[Deleted User] commented
I absolutely agree, it'd definitely add to the security aspect of ProtonMail. It's not too big of an ask either compare to some of the other feature requests on here :P
-
amilopowers commented
I've seen that posteo.de and kolabnow.com use DANE (DNSSEC) to secure their e-mail Services.
I think protonmail could be even more secure with DANE. You can read about it here: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities