lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: lceone at comcast.net (lceone@...cast.net)
Subject: [LONG] Improving E-mail security...

Bengt Ruusunen wrote:
> - E-mail receiving server could check that 'very first original' From: 
> line and if it is same than the receiver address ie. 'someone@...eone.com'
> 
> Perform an check to see if the 'sender identification' ie. salted public 
> key, GUID or something (X-Authenticated-Guid: #0a845d299ca340087140) 
> exists in mail header.

Sort of like a required, server based, pgp check?

<OPINION>
I think it's just about time that we stop patching over this dinosaur 
protocol that we call SMTP (RFC 821 from *August 1982*).  This protocol 
was originally designed to send text messages from one machine to 
another back in the "Good Ol' Days" when the internet was safe because 
it existed at two schools and a government institution.

Then as the years went on, the protocol became inadequate.  e.g. it only 
allowed for a message to use the 128 ASCII character codes.  So instead 
of re-evaluating and rewriting the protocol, we've patched it.  We added 
MIME, because that made it easier to send each other HTML formatted 
email and pictures of our cats.  We added PGP, but not frequently or in 
a consistent manner.  We added pretty features, but we've neglected any 
security that should have been added, or problems fixed (feature bloat 
anyone?).

But you cant do that.  You cant build a big house on a small foundation 
or it will crumble.  Today's *constant* problems/viruses/spam/etc is the 
crumble showing itself.  It will only get worse from here.  Seriously, 
we shouldn't have to think twice about simply viewing an email for fear 
of self-executing viruses.  That should not be an option.

<SEMI-FACTUAL BABBLING>
About spam.  This problem, I think, mainly arises from the fact that the 
spamming server can connect to domain.com, transmit one copy of the spam 
email, and send it to 100,000 users, from anyone, to anyone, no 
questions asked.  This puts a huge load on the receiving server, and 
comparably minimal load on the sending server (depending on message 
size).  If the protocol was rewritten to allow only "one for one" 
sending, maybe this would slow them down?  I dunno, just a thought.
Oh! And *maybe* we could make relaying OFF by default!  Wacky ideas.
</SEMI-FACTUAL BABBLING>

So maybe it would be in the best interest of the internet community if 
someone stopped and took a look at what the requirements for a good 
communications protocol to replace email would be, and tried to put one 
together from the ground up.  Security, features, and all.  Heck, if I 
can get a group together, I'll take a crack at the darn thing myself. 
But I don't claim to be any sort of expert on anything (except maybe the 
semi-factual babbling), so I'd need a good group.
</OPINION>

Just my $0.10

-Larry Engleman

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ