Big Internet Players Propose DMARC Anti-Phishing Protocol

judgecorp writes "Google, Microsoft, PayPal, Facebook and others have proposed DMARC, or Domain-based Message Authentication, Reporting and Conformance, an email authentication protocol to combat phishing attacks. Authentication has been proposed before; this group of big names might get it adopted." Adds reader Trailrunner7, "The specification is the product of a collaboration among the large email receivers such as AOL, Gmail, Yahoo Mail and Hotmail, and major email senders such as Facebook, Bank of America and others, all of whom have a vested interest in either knowing which emails are legitimate or being able to prove that their messages are authentic. The DMARC specification is meant to be a policy layer that works in conjunction with existing mail authentication systems such as DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework)."

We already have email authentication

[Sloppy]

Sign your emails. The tech has been out there for two decades. Decades, and that's real world time, not "internet time."

Everybody sign your emails, so that email from fuck-knows-who sticks out like a sore thumb. This would strike a great blow to phishing, and spam in general.

And best of all, people don't need new software for it. You don't need a new standard because there are already two competing standards (PGP vs S/MIME) -- why add a third? Just start using what you've already got.

Re:We already have email authentication

[Nemilar]

The problem with PGP/signed-emails is that you're putting the burden on the user. I'm a pretty technical guy, and I don't even want to bother with it. There's no way that the average person it going to take the time to understand and implement PGP.

The proposed solution puts the burden entirely on the system and the providers, so is more likely to be adopted and actually used (and therefore, successful in its end-purpose of stopping phishing attacks).

Re:We already have email authentication

[Albanach]

There are also issues with PGP and webmail used by probably the majority of home users, as well as the multitude of devices people now have for email.

You need to sync keys between devices securely, and with webmail you pretty much need to have a browser plugin take over the signing part, unless you want to entrust your private key to a third party.

Simply checking mail onan untrusted web terminal then becomes problematic - sure you can read signed but not encrypted email, but if you tell people it's okay to trust that sometimes, they won't bother checking at other times.

Re:We already have email authentication

[heypete]

I'm an American studying in Switzerland. I bank with PostFinance, the post office-run financial institution.

Any electronic documents or messages from the bank are digitally signed: PDFs are signed and time-stamped using the built-in PDF signature methods. Emails, even the general informative newsletter containing no account-related information at all, are signed with S/MIME. Any account related communications take place using the internal messaging system on their secure website (which requires the user have access to their bank-issued smartcard and offline calculator-like challenge-response device). The instructions that came with the bank card and calculator device make it very clear how to verify that one is actually on the bank's website.

It's trivial to verify that documents and emails are actually issued by the bank, and the login method for the bank's website makes phishing much more difficult.

Compared to USAA, one of the more clueful US banks, this is excellent. Emails from USAA have the last four digits of the account number in the top-right of the message so as to "authenticate" that the message came from the bank. Of course, this is trivial to reproduce and offers no real validation. It's a shame, really.

If more banks (and indeed, more senders in general) signed their messages, that'd be a major improvement. If the big webmail providers (Gmail, Yahoo, and Hotmail) verified S/MIME signatures and displayed a suitable indicator to users, that'd be even better.