Sancus
commented
5 years ago 1) Not sure DNS CAA really does anything, especially if you're using letsencrypt(we are) and do not use DNSSEC(we don't). I can't think of an attack it prevents. It's not used by mozilla.org, and it doesn't seem to be required for A+, which mozilla.org has. I do know that it's going to confuse me in the future when I try to use a third party service on a specific subdomain and they attempt to issue a cert using their own CA. I'm going to pass on this one.
2) (and 3) This is related to older browser support(WinXP, basically). This is probably the main reason we don't get A+, but these options are intentionally turned on for now. I want to do a push to get people to update from older versions of TB after 68 release, and so until then I'm going to leave these on. 2020 might be a good time to finally turn this off, given that's also the final 'browsers are removing support for these' time.
4) Agreed this should be on for www.thunderbird.net, start.thunderbird.net and autoconfig.thunderbird.net. Probably not the other domains for now. It's rather permanent when you do set it. Will implement.
https://www.ssllabs.com/ssltest/analyze.html?d=thunderbird.net
AtoA+redororangetoblackorgreenSuggestions:
DNS CAAFromNo (more info)toYesCAA Record Generator How to add a CAA record into a DNS zone file using BIND DNSCertificate #4: RSA 2048 bits (SHA1withRSA)FromNotoYesMozilla Apple Android Java Windows
Remove support for TLS 1.0 and TLS 1.1. Only support TLS 1.2 and TLS 1.3 (these are currently supported)
Enabling HTTP Strict Transport Security (HSTS) In the filename
.htaccesswhich may be located/public_html/(orroot) addHeader set Strict-Transport-Security "max-age=31536000" env=HTTPSWhat do you think?
Thank you