I proudly pronounce the first (pre-)release of cryptorecord. Cryptorecords is a ruby gem that provides an API and scripts for creating crypto-related dns-records(e.g. DANE). Currently it supports TLSA, OPENPGPKEYS and SSHFP but I plan to support other records in future. The API doesn't create any keys or certificates. It just takes existing keyfiles to create the DNS-records.
TLS via SMTP is opportunistic which makes connections vulnerable to man-in-the-middle-attacks. In order to prevent mitm-attacks, DANE could be used. The sender-server will first check the domain-records if dnssec is in use(and valid) and if a TLSA-record is published(and valid). If a TLSA-record is valid and matches with the certificate of the recipient-server the connection could be encrypted and the encryption is verified.
DNS is one of the oldest but also one of the most important network protocols we have and actively use. Dan Kaminsky discovered 2008 some serious flaws in DNS which is very well explained on this site. DNSsec is supposed to solve those problems.
Certificate Transparency is a great idea. All certificate-related activities on a certificate authority will be logged into a public database(it's a merkle-table), so that anyone can monitor or review the certificates. Commodo published a very handy web-tool to query the logs.
End-To-End-Encryption is nothing new. With messengers like Whatsapp or Telegram it's again an issue. If E2E-Encryption means that nobody but the endpoints are able to encrypt the messages, then how is this feature implemented so seamlessly?
The connections to this blog are encrypted now. Youhuuuuu.....
If you want to setup a ssl-certificate with multiple subdomains(of the same domain), you'll have to generate a certificate with alternative names. We can achieve this using some parameters in our openssl.cnf...
There are several weaknesses in how Diffie-Hellman key exchange are deployed. This weaknesses have a huge impact, since many servers are affected. Here are some advices how to setup a prober key exchange on serveral servers.