Modernizing Authentication — What It Takes to Transform Secure Access
It's been a bad month for Microsoft's efforts to promote their visions of trustworthiness and authentication in Internet commerce.
Just as the ground began to crumble beneath Microsoft's "Sender ID" email authentication proposal, it was discovered that the Redmond, Wa.-based software giant was considering acquiring Claria, one of the world's most notorious adware and spyware companies.
Let's look first at the email authentication wars. As I've discussed previously, the battle over email authentication has been raging for several years. Among the many proposals being considered by the email industry and Internet standards community is Microsoft's Sender ID and its closely related cousin, the "Sender Permitted From" or SPF standard.
Both SPF and Sender ID use text records entered into a domain's DNS entry that define what IP addresses should be permitted to send email for that domain. These definitions embedded in the sender's DNS records are then queried and parsed by the receiving server to determine whether to accept or reject a particular piece of email.
As I reported back in October, Microsoft's Sender ID proposal became the subject of much scorn when it was discovered that, at the same time they were promoting Sender ID as a global standard, they were trying to patent the technology surrounding Sender ID.
In the intervening months, numerous major service providers participating in the Messaging Anti-Abuse Working Group, an industry consortium that is promoting the development of new email authentication standards, have continued to test Sender ID. Their recently released findings are not good news for Microsoft.
According to the technical committee's white paper :
"At best, SPF and Sender ID are comparable to a license plate issued by a foreign country: they show that the vehicle is permitted to drive in that country, but make no indication as to whether that countrys regulations are similar to yours and we can only assume that the driver inside is permitted to use that vehicle."
But the committee went on to explain that along with these dubious benefits, there were some significant downsides to implementing Sender ID.
* Forwarded or re-sent mail will fail authentication without changing email systems to re-write return addresses and add new headers;
* Those sites publishing authentication records must ensure that their records permit mail from all possible points of origination or risk having legitimate email mislabeled as spam;
* This method of authentication does not provide protection against forgery of the most common user-visible mail headers;
* Receivers must be aware that performing some checks in accordance with Sender ID and SPF may yield inaccurate authentication results due to misinterpretation of the Sender's authorization., and
* If your operation provides email services to roaming users, you may need to forge or add certain headers in order to ensure successful authentication.
As a result, several major service providers have removed their Sender ID and SPF statements from their DNS records in order to avoid potential confusion and lost email.
But just as the industry is backing away from Sender ID, Microsoft rekindled fears of monopolistic bullying tactics by unilaterally declaring that all email sent to MSN and Hotmail would be scanned for Sender ID compliance. Resistance is futile. If your company's email doesn't pass a patent-pending Sender ID check, it might be labeled as spam and consigned to the dreaded Spam folder.
Just as the world was trying to digest what Microsoft was attempting to shove down its collective throat, word leaked out that Microsoft was in talks to buy Claria, formerly known as Gator -- one of the world's most notorious peddlers of spyware and adware -- which I will call malware hereafter for the sake of brevity.
According to several news reports, Microsoft has been eager to compete in the online advertising markets dominated by companies like Yahoo and Google. Experts suggest that buying Claria would give Microsoft a jumpstart in the market because of Claria's advertising network consisting of more than 40 million souls who receive Claria's annoying pop-up ads.
As one commentator wrote, this move "underscores just how eager Microsoft is to catch up with Google, the search and advertising giant."
Eager? How about desperate?
In my opinion, picking up Claria for its advertising network is like buying a former nuclear bomb testing site because the lack of anything standing gives you such great views in all directions. Just don't touch anything, ignore the three-headed rabbits populating the poisoned ground, and you'll be fine.
There are plenty of other ad networks out there, most of which got to be successful without engaging in deceptive, unfair, and lawsuit-provoking activities.
Some might say Microsoft and Claria have been unwittingly working together for a long time. Claria's advertising reach is directly tied to its years of distributing malware and long history of its paid "affiliates" taking advantage of security holes in Microsofts operating system to install the software surreptitiously and without end-users permission.
In its defense, Claria claims to be migrating its business model to one focused on more legitimate forms of business. But like the Gotti family and their garbage hauling business, I have a feeling that it is going to take them some time to stop living off their other gigs.
More recent reports suggest that an acquisition of Claria is never going to happen because Claria's reputation is too tarnished for even Microsoft's tastes. But that didn't stop Microsoft from giving Claria a pre-engagement gift just last week -- downgraded threat rating in Microsoft's anti-spyware utility!
According to Eric Howes of SpywareWarrior.com:
"Several sources have now confirmed that Microsoft downgraded its detections of Clarias adware products in the latest update (#5731) to Microsoft AntiSpyware released today. Where Microsoft AntiSpyware used to detect Clarias products and present users with a Recommended Action of 'Quarantine, following todays update Microsoft AntiSpyware now presents users with a Recommended Action of 'Ignore[.] Users can still change the action to Quarantine or Remove.
In the end, though, this is nothing new. As I've noted before , other security software makers have gone soft on malware. Microsoft's is only the most recent, and to my way of thinking, the most unprincipled and morally corrupt.
So the next time you hear pronouncements from Microsoft about their efforts to make your computing experiences safer and more secure, a deeper look may suggest that Microsoft's effort to be part of the solution includes taking a bigger stake in the problem.