Today I concluded that my mail-box with 120 fresh messages constituted of about
110 messages where the sender address is either falsified, or is coming through
a hijacked computer.
In my opinion S/MIME is the primary culprit for this unbearable situation.
That Windows have showed some weaknesses with respect to virus attacks is
undoubtedly true, but viruses would also have had a much less impact if we have
had a useful e-mail security architecture. The same goes for phishing.
A do believe that the designers of S/MIME did what they could back in the
90'ties. However, now when we know better [*], shouldn't these guys who
indirectly contribute to an annual waste of hundreds of millions of good
working hours from the Internet community rather try to create a system that to
some extent compensates for the mistakes done in the past?
DKIM is a step in the right direction but it does not address confidentiality.
That DKIM was designed to support people who want to run their own mail-servers
but cannot afford a domain-certificate is also a bit off since these entities
represent at most 0.1% of today's Internet users.
Anders Rundgren
*]
- Client certificates are [still] uncommon
- Encryption at the desktop by consumers does not work
- Security administrators want central policy handling
- Trusted third-parties is the norm (from your employer to Google)
- You cannot send an encrypted e-mail to the IRS and you probably never will
- e-mail encryption is incompatible with many organizations' internal policies
- Security should be transparent, default, and non-intrusive