On 10/28/2012 06:02, Benny Pedersen wrote:
John Levine skrev den 28-10-2012 04:31:
Consider how hard it is to make up some fake letterhead in your
favorite word processor, print out a fake letter, put it in an
envelope with a fake return address, put a real stamp on it, and put
it in a mailbox.
and ask the postman to get paid on delivery from the recipient ?
If you insist on extending this metaphor, assume that John's
hypothetical imposter printed up an equally convincing response card or
form and return envelope, with postage attached, and included it with
the letter. If the recipient fills it out and returns it, that would be
the equivalent of clicking on the link included in a phishing message...
Getting back to the larger points -- no, DMARC is not a magic bullet,
but I think it does offer a significant improvement over the current
situation. You can see benefit for the organizations being spoofed and
having to deal with their customers being exploited. You can see benefit
for the organizations providing mailboxes to consumers, who lose them
when too much crap reaches the inbox. Hopefully you can even see benefit
to the end-user, when the most dangerous phishing messages should fail
to reach them (e.g. Using a domain they already trust successfully, etc).
I'm puzzled when people suggest redesigning email - which sounds great
in theory - because you still come back to the fundamental problem of
identity assertions at scale, that can be trusted without prior
arrangement. P2P web-of-trust hasn't worked very well at scale, a la
PGP. Certificate authorities haven't been too bad, perhaps because there
were easier attack vectors, but we've still seen more than a dozen have
to revoke batches of their CA certificates because of "CA Compromise"
(cf. Burns and Eckersley). But hey, perhaps those closer to the subject
feel this is a solved problem. Or perhaps they hope that the recent
disclosure of 3.6MM Social Security Numbers in South Carolina (link
<http://www.theverge.com/2012/10/26/3560140/south-carolina-cyber-attack-3-6-million-social-security-numbers>)
will finally spur the US government into action...
Anything you do with crypto is not best left ignored in a corner for 5+
years. As Mr. Harris got a lot of ink for pointing out indirectly: you
have to execute well, revisit your assumptions and review the situation
periodically. Sloppiness and crypto do not mix very well...
But while people usually "get" the importance of TLS and include annual
reviews of certificates and key strengths at many organizations, I don't
think DKIM ever got the same kind of awareness and thus didn't receive
the same kind of attention. And despite the fact that old keys, weak
keys, and testing flags had been mentioned periodically for literally
years, they persisted. So if it took a few slick photos of Mr. Harris
and 15 minutes of fame courtesy Conde Nast, I'm all for it if it means
large organizations will take email authentication more seriously going
forward.
--Steve.
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
