Wednesday, June 23, 2021

Digital Signatures Key to Solving Email Woes

Looking for a great rate on a mort g(ag)e? Neither am I. But, judging

from the number of such emails that find their way into my spambox —

(Thank You, Spamassassin!) — a lot of people must be.

These are no doubt the same people that believe ”eBay” et al when they

get an email from the ”security department” there requiring users to

confirm their account details by connecting to a seemingly harmless Web

address and entering their account details.

It’s unlikely that anyone using the Internet these days hasn’t seen

dozens and dozens of these messages. But, I’d posit that the people

sending them wouldn’t continue, and in fact thrive, if it weren’t for the

fact that there are people out there who fall for them… over and over.

Old P.T. Barnum must be spinning in his grave. If only he’d had the

Internet…

Also, it seems inevitable that whenever you put a bunch of security

techies together, the discussion will turn to how to solve spam and/or

phishing problems. Some will say it’s best to blacklist spam/phish sites

to, in effect, isolate them from the rest of the Internet. Some will say

it’s best to use a whitelist approach and only accept incoming email from

”known” and trustworthy addresses. Still others will say email is dead

as an information medium and we need to start anew with a

designed-from-scratch protocol for exchanging information.

I’ve heard all of these arguments, and I’ve seen people, companies, and

even ISPs that have implemented them.

In response to all of these well-intended schemes, I’m going to butcher a

metaphor and say that all we have to do is click our heels together three

times and repeat, ”There’s no place like home”. Why do I say that?

It’s because many of the tools we need to address a large part of these

problems already are on our PCs and servers.

You see, there’s a common denominator among many, but not all, of these

email-based issues, and it is authentication. Many of our email problems

these days exploit this fundamental weakness of SMTP. Phishing scams and

mortgage ”deals” all dupe users into trusting them to be authentic.

After all, they sure look authentic.

Perhaps the best means of verifying digital authenticity is the use of

digital signatures.

Almost every email client in existence today has the ability to verify a

digital signature in either S/MIME and/or PGP. S/MIME is arguably the

more ubiquitous of the two, as most enterprise-level email clients come

with S/MIME built in, including a repository of root certificates to form

the basis of trust in verifying a digital signature on an incoming

message.

The capability is out there. It may not be a perfect solution, but it’s

out there on the vast majority of PCs. And, just as many users have

learned about the little padlock icon in the corner of their browser

windows to indicate that SSL encryption is turned on, they can learn how

to know when an email has been digitally signed with S/MIME.

So, why do so few sites make use of it?

I’m sure there are many reasons. People think it would be too difficult

for their users to understand it. They’d have to buy a digital

certificate from one of the certificate providers in order to send emails

out to their customers. Maybe they aren’t even aware of it.

Take note that you’d only need to buy a certificate (or run your own

certificate service) if you’re sending messages that need to be signed.

The recipients can verify the authenticity of your messages without

having to buy anything more than what they already have.

Now, I should add a caveat here that digital signatures won’t stop spam

delivery. That’s not what I’m trying to say at all. They will, however,

provide a good basis for email recipients to trust — or not trust — the

authenticity of incoming emails.

That’s a start.

The time has come for us to start using digital signatures in our emails.

Waiting for the perfect solution to come along isn’t going to help us

today. The tools are there. Let’s use them.

Similar articles

Latest Articles

3 AI Implementations That...

I was on a joint educational call for the World Talent Economic Economic forum on mobile computing this week. We drifted to topics that...

Survey of Site Reliability...

NEW YORK — Site reliability engineers (SREs) are warning of a looming scalability ceiling and saying the adoption of AIOps isn’t happening at a...

Druva Integrates sfApex to...

SUNNYVALE, Calif. — A maker of software for cloud data protection and management is helping companies safeguard essential customer data that their sales and...

Best Data Science Tools...

Data science has transformed our world. The ability to extract insights from enormous sets of structured and unstructured data has revolutionized numerous fields —...