Modernizing Authentication — What It Takes to Transform Secure Access
These are no doubt the same people that believe ''eBay'' et al when theyget an email from the ''security department'' there requiring users toconfirm their account details by connecting to a seemingly harmless Webaddress and entering their account details.
It's unlikely that anyone using the Internet these days hasn't seendozens and dozens of these messages. But, I'd posit that the peoplesending them wouldn't continue, and in fact thrive, if it weren't for thefact that there are people out there who fall for them... over and over.
Old P.T. Barnum must be spinning in his grave. If only he'd had theInternet...https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i Also, it seems inevitable that whenever you put a bunch of securitytechies together, the discussion will turn to how to solve spam and/orphishing problems. Some will say it's best to blacklist spam/phish sitesto, in effect, isolate them from the rest of the Internet. Some will sayit's best to use a whitelist approach and only accept incoming email from''known'' and trustworthy addresses. Still others will say email is deadas an information medium and we need to start anew with adesigned-from-scratch protocol for exchanging information.
I've heard all of these arguments, and I've seen people, companies, andeven ISPs that have implemented them.
In response to all of these well-intended schemes, I'm going to butcher ametaphor and say that all we have to do is click our heels together threetimes and repeat, ''There's no place like home''. Why do I say that?It's because many of the tools we need to address a large part of theseproblems already are on our PCs and servers.
You see, there's a common denominator among many, but not all, of theseemail-based issues, and it is authentication. Many of our email problemsthese days exploit this fundamental weakness of SMTP. Phishing scams andmortgage ''deals'' all dupe users into trusting them to be authentic.
After all, they sure look authentic.
Perhaps the best means of verifying digital authenticity is the use ofdigital signatures.
Almost every email client in existence today has the ability to verify adigital signature in either S/MIME and/or PGP. S/MIME is arguably themore ubiquitous of the two, as most enterprise-level email clients comewith S/MIME built in, including a repository of root certificates to formthe basis of trust in verifying a digital signature on an incomingmessage.
The capability is out there. It may not be a perfect solution, but it'sout there on the vast majority of PCs. And, just as many users havelearned about the little padlock icon in the corner of their browserwindows to indicate that SSL encryption is turned on, they can learn howto know when an email has been digitally signed with S/MIME.
So, why do so few sites make use of it?
I'm sure there are many reasons. People think it would be too difficultfor their users to understand it. They'd have to buy a digitalcertificate from one of the certificate providers in order to send emailsout to their customers. Maybe they aren't even aware of it.
Take note that you'd only need to buy a certificate (or run your owncertificate service) if you're sending messages that need to be signed.The recipients can verify the authenticity of your messages withouthaving to buy anything more than what they already have.
Now, I should add a caveat here that digital signatures won't stop spamdelivery. That's not what I'm trying to say at all. They will, however,provide a good basis for email recipients to trust -- or not trust -- theauthenticity of incoming emails.
That's a start.
The time has come for us to start using digital signatures in our emails.Waiting for the perfect solution to come along isn't going to help ustoday. The tools are there. Let's use them.