- 20-04-23RFO Incident 14 April 2023
- 15-04-23Storage incident Friday April 14th, published on www.bit.org
- 30-12-22Power rate change and portal updates
- 30-05-22Update RFO Network Incident 17-04-2022
- 23-05-22Freedom of Information Coalition (FOIC) takes case to European court
- 19-04-22RFO Network Incident 17-04-2022
- 21-02-22BIT-MeetMe fully reopens
- 17-12-21We carry on working from home
- 05-11-21Face mask required from November 6th at BIT
- 04-08-21Road works BIT-2 from Aug 16th until Sep 25th
STARTTLS and DANE mandated by National Consultation
The National Consultation Digital Government is requiring governments to implement the email security standards STARTTLS and DANE with investments in email systems. On September 19, 2016 it was decided to add both open standards to the list of required standards according to the ‘comply-or-explain’ regime.
A solid encryption of email traffic
To guarantee the integrity and confidentiality of email traffic, the use of STARTTLS and DANE is needed. STARTTLS combined with DANE counteracts the interception or manipulation of email traffic. STARTTLS offers the possibility to secure transport connections between email servers based on certificates with TLS. In combination with email security standard DANE, email servers can also enforce the use of TLS. Together they ensure a solid encryption of email traffic. This secures the email traffic for certain types of attacks that aim to intercept or manipulate.
How does it work?
When an email is sent, the senders’ mail server sends it to the recipients’ mail server. The connection between these servers can be secured with TLS. The protocol that is used to do this is called STARTTLS. This STARTTLS-protocol makes sure that an unencrypted connection is converted to an encrypted TLS-connection. Both mail servers need to support STARTTLS to allow this.’
DANE is a technique that builds on DNSSEC and allows secure publishing of public keys and certificates. DANE can be used to connect key information (for example a hash code) to an address/protocol or port-combination. That way the authenticity of the certificate can be verified for every encrypted internet service through DNS. If the hash code of the certificate or the certificate authority is not the same as the hash code in the TLSA record, the client knows that the connection cannot be trusted.
Open standards on the ‘comply-or-explain’ list
The security standards on the ‘comply-or-explain’ list help secure information. The addition to the ‘comply-or-explain’ list means that public organisations, including healthcare and government institutions have to implement the standards when purchasing new ICT systems and services. An overview of all open standards can be found on the website of the Standardisation Forum. On https://internet.nl/ domain names can be checked for the support of open standards.