Looking for a great rate on a mort g(ag)e? Neither am I. But, judging
from the number of such emails that find their way into my spambox —
(Thank You, Spamassassin!) — a lot of people must be.
These are no doubt the same people that believe ”eBay” et al when they
get an email from the ”security department” there requiring users to
confirm their account details by connecting to a seemingly harmless Web
address and entering their account details.
It’s unlikely that anyone using the Internet these days hasn’t seen
dozens and dozens of these messages. But, I’d posit that the people
sending them wouldn’t continue, and in fact thrive, if it weren’t for the
fact that there are people out there who fall for them… over and over.
Old P.T. Barnum must be spinning in his grave. If only he’d had the
Also, it seems inevitable that whenever you put a bunch of security
techies together, the discussion will turn to how to solve spam and/or
phishing problems. Some will say it’s best to blacklist spam/phish sites
to, in effect, isolate them from the rest of the Internet. Some will say
it’s best to use a whitelist approach and only accept incoming email from
”known” and trustworthy addresses. Still others will say email is dead
as an information medium and we need to start anew with a
designed-from-scratch protocol for exchanging information.
I’ve heard all of these arguments, and I’ve seen people, companies, and
even ISPs that have implemented them.
In response to all of these well-intended schemes, I’m going to butcher a
metaphor and say that all we have to do is click our heels together three
times and repeat, ”There’s no place like home”. Why do I say that?
It’s because many of the tools we need to address a large part of these
problems already are on our PCs and servers.
You see, there’s a common denominator among many, but not all, of these
email-based issues, and it is authentication. Many of our email problems
these days exploit this fundamental weakness of SMTP. Phishing scams and
mortgage ”deals” all dupe users into trusting them to be authentic.
After all, they sure look authentic.
Perhaps the best means of verifying digital authenticity is the use of
Almost every email client in existence today has the ability to verify a
digital signature in either S/MIME and/or PGP. S/MIME is arguably the
more ubiquitous of the two, as most enterprise-level email clients come
with S/MIME built in, including a repository of root certificates to form
the basis of trust in verifying a digital signature on an incoming
The capability is out there. It may not be a perfect solution, but it’s
out there on the vast majority of PCs. And, just as many users have
learned about the little padlock icon in the corner of their browser
windows to indicate that SSL encryption is turned on, they can learn how
to know when an email has been digitally signed with S/MIME.
So, why do so few sites make use of it?
I’m sure there are many reasons. People think it would be too difficult
for their users to understand it. They’d have to buy a digital
certificate from one of the certificate providers in order to send emails
out to their customers. Maybe they aren’t even aware of it.
Take note that you’d only need to buy a certificate (or run your own
certificate service) if you’re sending messages that need to be signed.
The recipients can verify the authenticity of your messages without
having to buy anything more than what they already have.
Now, I should add a caveat here that digital signatures won’t stop spam
delivery. That’s not what I’m trying to say at all. They will, however,
provide a good basis for email recipients to trust — or not trust — the
authenticity of incoming emails.
That’s a start.
The time has come for us to start using digital signatures in our emails.
Waiting for the perfect solution to come along isn’t going to help us
today. The tools are there. Let’s use them.