terry(_at_)ashtonwoodshomes(_dot_)com wrote:
terry(_at_)ashtonwoodshomes(_dot_)com wrote:
Comparing SMTP to HTTP does not make sense because:
In http, the RECIPIENT makes the request for information,
and the RECIPIENT gets to choose (via the
browser, his trusted DNS server, etc) the correct source of
the information.
Exactly. We want the same level of certainty for smtp.
In SMTP, the RECIPIENT does NOT request the information,
nor gets to choose where it comes from.
On the other hand, the recipient DOES get to choose whether they
accept the message or not.
Just a hypothetical here:
Suppose you could only send SMTP traffic from a valid MX matching
the MAIL FROM and From: headers in the e-mail.
Would that not make SMTP authentication equivalent to http source
authentication?
Not even close. The SPF source domain authentication is at the source domain
name level, not at the
source domain name and source username level.
I never said otherwise. You can only validate domain information against
DNS. Username validation requires digital signatures. I am tending
to use the "corporate who", which it seems may be causing confusion
on this point.
Assuming no compromised servers: With http you know
who you are, and you know for certain who the info is coming from. With SMTP
and SPF you may know
with reasonable probability where its coming from but not *who*.
You have the same level of certainty. You can say "It came from
this server, which is a valid source for where it claims to be from".
You don't _know_ anything about the security of that server.
Course this HTTP to SMTP comparison/analogy is not really good to begin with,
it really is like
comparing apples to oranges:
-the data is flow the other direction (requested, vs not requested)
-HTTP talks to the senders DOMAIN, SMTP receives from a user at the senders
domain
Yes, the data flow is in the other direction, this makes authentication
more important, not less. However, I think you overestimate the level
of certainty in http, many http based attacks depend upon hiding the
identity of the server the request is coming from. Strangely, these
attacks are effective.
--
Daniel Taylor VP Operations Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com http://www.vocalabs.com/
(952)941-6580x203