Saving e-mail: It's all about trust
perspective Sendmail inventor Eric Allman says a new Internet standard promises to restore trust to e-mail.
Most users were researchers, and they had a vested interest in making the network work well. For the most part, they knew each other; in fact, there was a directory of every network user, including their names, physical and e-mail addresses, and phone numbers--printed on paper and weighing less than 2 pounds.
Security consisted of little more than simple passwords, and encryption was rare. In fact, the Arpanet, the predecessor to the Internet, first started operating in 1969, but the RSA algorithm, one of the first great advancements in Internet security, wasn't invented until 1977. Heavy e-mail users sent and received perhaps 10 messages per day.
How things have changed. There are times of day when I receive 10 messages a minute--and most of those are spam or phishes. In fact, I receive more than 1,000 unwanted messages every day. Spam is nasty, but phishing is worse, resulting in the theft of money and identity that equates to significant losses for both individuals and businesses. Global research firm Gartner estimates that 3.5 million Americans divulged personal information to phishers in 2006, nearly twice the number of 2005. The average loss per incident was around $1,244, more than double the amount in 2005, and barely half of those consumers will get their money back.
In all, financial losses attributed to phishing in 2006 amounted to around $2.8 billion. Because of this, most individuals and companies have little trust in their e-mail systems, and the challenge facing e-mail administrators has evolved from filtering out the bad messages to filtering in the good.
Today it is easy to send an e-mail and pretend to be anyone--even someone who doesn't even exist. This results from the idyllic early days of the Internet, when authentication was neither technologically feasible nor particularly important. Just as people from small towns often don't lock their doors when they first move to the city, e-mail has maintained a small-town mentality, oblivious to the skyscrapers rising around it. Criminals are all too willing to take advantage of these unlocked doors. To restore trust in e-mail systems again, it is time for all of us to start installing locks. E-mail authentication is one of those locks.
Work has been progressing for several years on an e-mail authentication technology known as DKIM (DomainKeys Identified Mail), developed collaboratively by several companies, including Cisco Systems, Yahoo, Sendmail and PGP.
Cooperation needed on DKIM
DKIM uses digital signatures to authenticate messages. These signatures allow you, or your e-mail service provider, to verify that a message claiming to be from your bank is really from your bank. Without authentication, if I receive an e-mail saying that my account has been compromised and requesting me to verify my personal details, it's a pretty good bet that I should ignore the message. But if I receive the same message and I can prove to my own satisfaction that it came from my bank, then I should probably pay serious attention.
DKIM can offer this proof, and it has just been published by the Internet Engineering Task Force--the group responsible for technical standards on the Internet--as an official Internet standard.
But just as no one wants to buy a radio if no signal is being transmitted, and no one wants to transmit until someone can hear it, DKIM needs cooperation from both senders and receivers. Senders will drive adoption of DKIM because they have money and their brand reputation at risk.
One way phishers profit is by tricking victims into divulging personal bank account details by impersonating the bank behind that account. This is of huge concern to financial institutions, many of which have already started deploying DKIM. And because DKIM runs on the e-mail servers provided by the enterprise or service provider rather than on the desktops of individual users, it doesn't require upgrading every machine on the network.
Still, a digital signature by itself isn't enough to prove that a message is valid. Phishers will undoubtedly sign mail using domains that they own. Sometimes these domains will be chosen to resemble the names of legitimate institutions.
You can compare authentication to a driver's license, which proves who someone is, but tells you nothing about their safety record; for that you need to know something about their driving history. In the e-mail world, we call this "reputation," which is essential to assessing the value of a message. The next big step to restoring trust in e-mail will be the creation of reputation servers so we can see the "driving history" of the multitude of lesser-known sites.
While DKIM by itself is a valuable technology, to really shine it will need to be used in concert with other technologies, some still in development. But we must start with DKIM.
E-mail senders should start using DKIM as soon as feasible so that they and their customers can reap the benefits. E-mail receivers should start verifying DKIM signatures so next-generation antispam and antiphishing tools can leverage that information to deliver better results. And end users should ask their e-mail providers what they are doing to deploy e-mail authentication and restore trust in Internet e-mail.