Establishing Digital Trust: Don't Sacrifice Security for Convenience
There is a growing number of proposed changes to email standards that would address two critical issues -- a lack of authentication and accountability.
Under today's most widely deployed email standard, the Simple Mail Transport Protocol (SMTP), the need to quickly process millions of pieces of email led to a streamlined protocol that lives up to the name ''simple''. But that simplicity has become a liability.
The protocol assumes every email sender will be truthful about who they are and what they're doing. As a result, there are virtually no technical consequences for a spammer or identity thief who claims to be someone he's not in order to get their mail delivered.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i Over the course of the last decade of spam-fighting, the experts seem to have finally agreed that many of today's problems with spam and ''phishing'' boil down to the absence of reliable identification and authentication in the transmission of email.
In short, industry experts say we need to be able to know that email really is from the person or business it claims to be.
Making decisions based on who someone claims to be isn't new in email. To combat spam, some email servers are configured to do ''look-ups'', comparing the sending site's IP address to a list of trusted ''whitelist'' sites. Other times they compare it to a ''blacklist'' of known spammers.
These look-ups are generally done during the SMTP conversation itself, and that's a really bad time to do them. Stopping mid-stream can dramatically slow mail processing speeds, which can require extra server capacity to offset lost efficiency.
Unfortunately, the effectiveness of checking email sources against whitelists and blacklists also is predicated upon the reliability of the sender's claims about their originating IP address, on whose behalf they're relaying a message, and other points of data that are not at all guaranteed to be truthful. For the better part of 20 years, security experts have been preaching about the flaws inherent in IP addressing and the DNS infrastructure, including the ease with which IP addresses can be spoofed and entire ranges of IP address blocks can be hijacked.
Despite these well-known problems, the leading contender to ''solve'' the problem of poor email security is a plan called Sender ID, which proposes to build a network of trust squarely atop the quicksand of IP addressing and DNS.
Sender ID is the brainchild of Meng Weng Wong, CTO of Philadelphia-based Pobox.com. Through an adroit public relations campaign, which has been short on technical answers and long on promises, Wong has convinced both Microsoft and America Online to sign onto the Sender ID bandwagon and are now touting the standards proposal as a major step forward in fighting spam.
The reality of Sender ID is a lot more problematic than the press releases let on. At its core, Sender ID proposes loading up DNS records with XML statements that would need to be queried, transmitted, and parsed, for each email transaction. These statements would tell a receiving server whether mail claiming to be from a particular domain is coming from an authorized IP address.
Setting aside the fact that IP address spoofing renders Sender ID moot, and spammers are already building tools to do just that, a key criticism of Sender ID is one that even its proponents admit: lots of legitimate email will get lost. For example, legitimate email can quite often come via routes that are perfectly acceptable, yet might not be listed in a particular domain's pre-established Sender ID DNS record. (Think roaming users on dial-up connections, or email forwarding services -- which, ironically, is the primary line of business for Sender ID's author!)
There also are some deeper and more dangerous flaws in Sender ID. Some experts have questioned whether, given the notoriously flimsy DNS infrastructures of many major organizations, a simple breakage, or even a denial-of-service attack, could hopelessly cripple email delivery for an entire domain. In short, a Sender ID world, your DNS infrastructure will have to be robust enough to resist attack and keep pace with all your outgoing and incoming email needs.
In full disclosure, I should note that I too have joined the email authentication fracas as a co-author of an email authentication proposal called the Trusted Email Open Standard (TEOS). TEOS takes a different tack and eschews reliance on IP addresses in favor of strong cryptographic signatures on email messages. Our proposal predates a similar cryptographic signature proposal by Yahoo!, called DomainKeys, but takes a very similar tack.
Proponents of cryptographic solutions believe that, while IP addresses may be easy to spoof, cryptographic signatures aren't. And with the ability to incorporate signatures from trusted signing authorities, third-party assurance organizations, or even government agencies, cryptographic identification systems offer a much more robust means of foiling identity thieves and spammers.
But there's not much cost savings to be had in cryptography either. Indeed, widespread deployment of cryptographic identity systems could easily eclipse the costs of a Sender ID-style IP address-based solution. But our theory is that if you're going to make the investment in a major new anti-spam initiative, you should invest in one that has a chance of getting out of the starting gate before being overtaken by spammers.
All the experts agree that authentication and security are critical for the future of email. It is important that in the urgency to solve the growing problems of spam and phishing, we must not rush headlong into costly solutions that do not actually move us closer to a lasting solution.
Ray Everett-Church is a principal with ePrivacy Group, a privacy and anti-spam consultancy. He is a founder of CAUCE, an anti-spam advocacy group, and he is co-author of ''Internet Privacy for Dummies.''