4

Anyone who's used a bit of PHP to send an email knows that we can use whatever name we want as the sender of an email.

To the secretary of a specific business, I can send a message requesting very sensitive customer or company information that appears exactly as if it came from her boss, bossname@companyname.com - This seems to me like a very big security issue.

Why does the email system not verify the sender's address?

It seems to me that someone would have thought to validate the sender's address some way or another when designing the infrastructure of email.

Another serious risk that exists through this:

I could send a facebook password reset email to myself, copy the format of the email, and send that same format to a user, disguised as facebook, and store the user's input password. When this confuses the user, and he/she can't log in with the new password, he/she may go and actually reset the password to that password, and now I have the user's facebook password.

  • It's not verified with physical mail either. I can put whatever from address I want on the envelope. – David Schwartz Apr 26 '14 at 09:53
  • @DavidSchwartz Right, but you aren't likely going to mail out the password to your online bank account either. With password reset confirmation, people who are short of computer savvy might be at risk of falling for it, with email being so common. –  Apr 26 '14 at 09:56
  • 1
    I don't agree. People receive letters from their school, bank, employer, government, and the like every day. They *are* likely to act on requests, respond with information, fill out forms, and so on. – David Schwartz Apr 26 '14 at 09:57
  • 1
    @DavidSchwartz and I was born into computers, but before a year ago when I started working with PHP, I'd have never had a clue that the displayed sender wasn't necessarily real... I'm sure 95% of people assume that the displayed sender is really the person sending the email. –  Apr 26 '14 at 09:59
  • @DavidSchwartz Yes, well.. I'm just trying to figure out why we didn't secure that.. We certainly could have. –  Apr 26 '14 at 09:59
  • I don't agree that we could have. Can you suggest a mechanism that would have been doable in 1981? Is there even one now? – David Schwartz Apr 26 '14 at 10:02
  • @DavidSchwartz it would be a big deal, sure, but yes, sort of the way we regulate IPs, we could validate email as part of a global web service, rather than a simple protocol. Validation requires a central database. It would be rather expensive, hosting a database and validation service of that size. –  Apr 26 '14 at 10:09
  • 2
    Web services didn't exist until at least 1989. That's still 8 years too late. And it's not clear how such a web service would work. – David Schwartz Apr 26 '14 at 10:10
  • @jt0dd: Central databases have been attempted many times. They never worked. HOSTS.TXT evolved into a distributed DNS; IP address assignment by the central NIC was distributed to multiple RIRs; the X.500 directory never really existed... Like you said, it'd be very expensive. Who would manage that database? What company, and especially what public mail provider, would want to trust a central database with every single account name that they have? – u1686_grawity Apr 26 '14 at 10:25
  • @grawity of course, that's correct, I would suggest the same method that we use for DNS rather than a central database. However, David showed 2 examples of better solution attempts than that. –  Apr 26 '14 at 10:29

3 Answers3

2

Digital signatures solve the problem of sender impersonation (at least technically) end-to-end:

A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, such that the sender cannot deny having sent the message (authentication and non-repudiation) and that the message was not altered in transit (integrity). Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering

Signatures can be used in email through S/MIME and PGP / GnuPg certificates. For example Thunderbid has a popular Enigmail extension interfacing with GnuPG to check and sign messages. Outlook supports S/MIME.

To sign a message, a sender uses a private key that must not be shared. To check a message, a receiver uses the public key of the sender, which can be shared to everyone interested in validating this sender's messages. Such public keys are available through key servers. There are also key signing parties in which people physically meet to assert that they are who they pretend to be and sign each other's digital certificates.

So it's not that no one thought about the problem, actually it was studied in detail, solutions are implemented and have been available for a while, including in free software.

To me the question would be: Why isn't everyone using that already? Why aren't large mail providers like GMail or Outlook.com or Yahoo Mail proposing digital certificates along with email accounts, encouraging and helping their users to sign their messages? Why when joining a new company, an employee generally gets an email address and a password to send/receive messages, but not a pair of digital keys to properly sign his/her messages?

Probably, we're collectively too complacent or lazy to take the necessary steps. Maybe it's like switching from IPv4 to IPv6. We know we should do it, but we're scared of the change and effort and wait for the rest of the world to do it first, and it doesn't happen.

Daniel Vérité
  • 1,555
  • 9
  • 11
  • Good answer man. I think you're right, too. We're too complacent and lazy for it. –  Apr 26 '14 at 21:31
  • Yes, digital signatures are something that I hadn't thought of, since we never use them, but you're completely right. That makes far more sense than a global validation system. –  Apr 26 '14 at 22:59
0

The SMTP protocol on which email was based was developed at least 20 years before schemes to perform that kind of verification were available free of encumbrance from patents, export restrictions, and the like.

If you're asking why such a feature wasn't added -- well, there have been many attempts to add such features.

David Schwartz
  • 61,528
  • 7
  • 100
  • 149
  • So just a very old system.. Who would be responsible for updating that standard? –  Apr 26 '14 at 10:03
  • 3
    Many have tried. See, for example, [spf](http://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](http://en.wikipedia.org/wiki/DKIM). – David Schwartz Apr 26 '14 at 10:04
  • Those both look like excellent attempts. –  Apr 26 '14 at 10:12
  • @grawity with validation, everything always gets harder. But might the security be worth the extra difficulty? Apparently not, judging by the outcome of those attempts. –  Apr 26 '14 at 10:34
0

Although you can put whatever you want in the from field, the IP address you send the email from cannot be forged, so it can always be traced back to the imposter.

True, people are a bit careless and just assume any email from someone they think to know is from them regardless what they ask in that email.

I for once, when I get an email in which information is asked that the person normally wouldn't ask, an internal alarm is raised (I get suspicious). I then always check the IP address from the sender and if I'm unsure, I'll contact the sender asking if they indeed sent that email.

LPChip
  • 59,229
  • 10
  • 98
  • 140