Jordan Brown writes: > Wasn't this in the context of signature-checking schemes that detect > forged origin metadata?
Context, yes. The question is did Intuit need extreme accuracy for that? Maybe they did, but I see no evidence for that need. Intuit was not a financial intermediary. It sent bills, it did not collect payments AFAIK (if it did, that would be a different matter). The reason it got into billing is that it has the invoice data anyway, since it was doing accounting and tax preparation for these businesses (Intuit is the company that sells TurboTax). So you receive a bill from Intuit, your response is not to click on a link in the bill, it's to go to your banking site and authorize a transfer to the vendor. You could argue that the bad guys could find some way to abuse the system because the From address isn't aligned with Intuit's DKIM signature (I thought of two while typing this sentence), but as far as I know they haven't implemented yet. They did implement spear- spamming "from" Yahoo! and AOL customers. Doesn't prove there's no profitable way to exploit Intuit, but it's suggestive. > So the vendor has to notify their customers who they use to do > their billing, and every time that they change billing vendors? Probably not. My guess is that Intuit did, in a footer. Again, this works well enough as long as Intuit isn't collecting money for the vendor, and the vendor's customers are expecting to use a different channel already set up to make payment. I don't think these folks would change billing vendors very often, since that probably implies changing accountants and tax preparer, too. > Ofttimes, the goal is that the billing vendor is completely > invisible to the end customer. Sure. But it can't be completely invisible here. Remember, these are businesses that don't have their own domains or are so technically clueless that they're billing from yahoo.com, not their own domain. I doubt very many customers (of the vendors using Intuit) paid any attention to who was sending the bills, vs who was asking for money. > Having your billing vendor be visible is, like having your company > e-mail address be @gmail.com Exactly (but it was @yahoo.com. :-) There are many people out there who don't think very hard about these things. The only thing they fear enough to buy help for is the IRS. Therefore, Intuit. > Not anywhere near as hard as it is for a full-scale e-mail vendor. > Google secures a database of millions of users' secrets, and must > have internal and external controls that keep the wrong people from > sending mail that pretends to come from those users. It's unfair to refer to Google and ignore Yahoo! and AOL here. My point is that if I were Intuit's CISO, I would want to be securing customers' accounting and tax records, not their mail service. One doesn't want to have to expend Google-like resources for a service one doesn't need to provide. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
