Modern internet standards for a safe and reliable internet
The use of modern internet standards helps to prevent cybercrime such as spam, phishing or malware; using outdated protocols is unsafe. At BIT we use modern internet standards such as TLS, HSTS, DNSSEC, SPF, DKIM, DMARC and DANE TLSA. As a result, we achieve a score of 100% on internet.nl and our customers are also able to meet these standards. To achieve all standards, both the outgoing and incoming server or client must support this. This is not yet the case with all providers. BIT has taken measures on both sides of the connection. Below we briefly explain what these standards mean.
Transport Layer Security (TLS) is een protocol dat de beveiliging van transport over het internet verzorgt. Dit protocol is beschikbaar voor allerlei applicatieprotocollen, waaronder HTTP (web) en IMAP (email). TLS versleutelt en ontsleutelt het verkeer bij de client en bij de server, waardoor het verkeer tijdens het transport niet door derden uitgelezen kan worden. Zowel server als client kunnen geen tot weinig invloed uitoefenen op de route die het verkeer over het internet neemt. Door versleuteling hoeven beide geen vertrouwen te hebben in de partijen die het transport verzorgen. De afgelopen jaren zijn steeds meer websites met TLS beveiligd. Er is echter nog volop ruimte voor verbetering. Websites waar een contactformulier op staat, en dus persoonsgegevens op worden uitgewisseld, behoeven versleuteling.
Transport Layer Security (TLS) is a protocol that provides security for transport over the Internet. This protocol is available for a variety of application protocols, including HTTP (web) and IMAP (email). TLS
encrypts and decrypts traffic at the client and at the server respectively. This way traffic cannot be read by third parties during transport. Both server and client have little to no influence on the route that traffic takes over the internet. Due to encryption, both do not have to trust the parties who provide the transport. In recent years, more and more websites have been secured with TLS. However, there
is still plenty of room for improvement. Websites that contain a contact form, which are used to exchange personal data, require encryption.
The DNS is vulnerable, making it attractive to malicious parties. They can link a domain name to another IP address; this is known as DNS spoofing. The goal is to mislead users to a rogue website. DNSSEC secures the DNS lookup. DNSSEC stands for Domain Name System Security Extensions and provides the DNS records with a cryptographic signature so that the answer of a nameserver can be checked for "authenticity". Cryptographic signatures verify a nameserver's response to "authenticity" and protect it from threats by cybercriminals.
Sender Policy Framework (SPF) has been developed to provide more security for the SMTP protocol. By means of a TXT record in the DNS zone, it indicates which mail server(s) are authorized to send an email from your email domain. In this way, SPF ensures that outsiders do not receive spoofed email or spam from your email domain; sender forgery is made detectable. If the sending mail server is not in the list of published IP addresses (the so-called SPF record) but still sends mail with the relevant domain as the sender, the mail is considered unauthorized. Your SPF measure has no impact on spam or email sent to you.
DKIM (DomainKeys Identified Mail) is an internet standard in which the sending server creates a cryptographic hash using a "private key". This hash is added to the email in the form of a DKIM header, which acts as a “seal” on the email envelope. A public and private key pair is generated; a private key for the mail server and a public key for the DNS. The receiving mail server checks the hash in the email using the public key in the DNS.
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It is a combination of a properly configured SPF record and DKIM configuration. By means of DMARC it is possible to implement a policy regarding the manner in which the email provider handles mail traffic of which it is not known whether it really comes from the stated sender domain. This can prevent others from emailing on behalf of your organization's email domain. With DMARC, abuse of the domain name by email is reduced or even prevented.
DNS-based Authentication of Named Entities (DANE) is a technique that builds on DNSSEC and ensures the safe publication of public keys and certificates. DANE can be used to associate key information (e.g. a hash code) with an address/protocol or port combination. In this way, the authenticity of the certificate of each encrypted internet service can be verified via DNS. If the hash code of the certificate or certificate authority does not match the hash code in the TLSA record, the client knows that the connection cannot be trusted. This is already used for email communication.
All devices that are connected to the internet have their own IP address. Due to the increase in the number of devices that are connected to the internet, the IPv4 addresses that are needed for this are
becoming increasingly scarce as they are now almost all in use. IPv6 is the successor to IPv4. IPv6 solves this problem with 128 bit addresses instead of the 32 bit addresses in IPv4. This means that there are many more unique IP addresses available: 3.4 x 10^38 (a 3 with 38 zeros) versus the 4 x 10^9 (a 4 with 9 zeros). IPv6 also provides better end-to-end connectivity.
Want to know more about internet standards?
Would you like to know more about these modern internet standards? Please contact us at email@example.com or 0318 648 688. You can also test yourself how you are doing and where things can still be improved. Take the test on internet.nl!
Internet.nl also makes 'how-to's' available with practical information that can help you implement these standards. Read more about the implementation of SPF, DKIM and DMARC on the Postfix mail server on the SIDN site.