[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

David Woodhouse dwmw2 at infradead.org
Mon Jun 9 13:48:18 PDT 2014

On Mon, 2014-06-09 at 13:49 -0400, Larry Finch wrote:
>On Jun 9, 2014, at 1:18 PM, Murray S. Kucherawy <superuser at gmail.com> wrote:
> > My understanding is that (a) it's too hard for users to understand
> > how to set it up and how to respond when problems occur, 

What is there to set up?

If your MUA shows you that this message is signed with a trusted
certificate, you're sorted. If you're in the minority (or so I believe)
for whom that isn't displayed, then boo; you're one of the few for whom
S/MIME signatures as a matter of course would achieve nothing. But they
don't *hurt* you either.

> I think that is the reason. Users for the most part are trusting. If
> an email says it comes from their bank they believe it. Most banks
> have gone to great lengths to make it easy to verify that a message
> really comes from the bank, such as including an account balance, or
> the last N digits of the account number.

I've never seen an account balance, but I've seen some truly stupid

I've seen a partial postal (zip) code, which is not a secret and is
available to fairly much anyone with access to the electoral roll or
similar data sources.

I've seen "last 4 digits of your credit card number", which are often
found printed on credit card receipts on the basis that 12 asterisks
followed by 4 real digits isn't a security threat... which it wasn't,
until the banks started using those last 4 digits as if they were a

I've seen partial bank account numbers too, which is *completely* insane
given that bank account numbers are on the bottom of every cheque you
write, and have never been considered "secret" except by the truly

There is fairly much *nothing* that is sane to put into an unencrypted
email, that truly serves to identify the sender. Except a cryptographic

I just don't see any reason for that class of mail sender *not* to be
signing mail with S/MIME as a matter of course.

> User education (if that is possible) is the best defense. 

That's why S/MIME (and not PGP or anything else) appears to be the
simpler option. It uses the same X.509 certificate authorities that the
users have to handle if they're going to use online banking and similar
tools anyway. Yes, users are crap at that too, but at least it's
something they're *already* crap at, instead of something new for them
to misunderstand.

If users don't have sane certificate authorities installed and can't
tell when their web browser is on a bogus site, the game was fairly much
already lost *anyway*. And if that *does* work well enough in the
context of HTTP, it can work for mail too.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140609/5e91c794/attachment.bin>

More information about the dmarc-discuss mailing list