stacks of money

DMARC is not the solution to E-mail Fraud.

The latest craze in E-mail security appears to be DMARC. Let me preface my post by saying I use DMARC, I use SPF and I use DKIM. I understand that people are mostly up in arms about the importance of DMARC because of how many major organizations haven’t adopted it. I understand it’s importance.

Problems with DMARC

Here’s the issue as I see it. DMARC does not solve phishing E-mails. It doesn’t do much more than SPF already does, and it doesn’t solve trust or identity in E-mail.

DMARC requires compliance by the recipient server to function at all, and all it does is tell the recipient to reject, quarantine, or allow fraudulent E-mails, a feature that SPF already provides.

This prevents someone from sending email from “custserv@paypal.com” but it doesn’t do anything to prevent them from sending an email from “custserv@payypal.com” which is how a huge number of phishing attacks are launched.

Oh and DMARC gives you some forensic information on who is sending fake E-mails from your domain. Which is completely useless in a high traffic real world scenario because you can’t take any effective action against the perpetrators.

Key Pair Signing & Encryption, a Real Solution.

Meanwhile we have PGP/GPG signatures which would, if properly implemented, provide a user friendly means of identifying the sender of an E-mail and verifying the integrity of an E-mail. But these have been completely disregarded by nearly 100% of organizations as “too difficult” to implement. Seriously, why doesn’t GMAIL come with a ‘PGP’ button?

PGP is arguably easier to implement worldwide than SPF + DKIM + DMARC. All you need to do is create the functionality client-side to create keys manage keyrings and interact with key databases. Compare this with setting up 3 different inline mail verification tools on every E-mail server in the world plus a slew of DNS records which can instruct servers to pass fake E-mails along without notifying the end users at all of suspicion.

Why are we being sold this half-assed solution to E-mail fraud when the real answer has existed for decades and would be easier to implement? If someone can explain why DMARC is being treated as the holy grail of E-mail security I would really appreciate it.

GPG/PGP is “Too Hard” for End Users

Bullshit. The difficulty of PGP/GPG has nothing to do with the technology and everything to do with the lack of proper support in E-mail clients. End Users don’t need to understand the technology at all, they just need a button that creates a key and publishes it to public key databases. The process is no more complicated than adding people to the address book on your phone.

Paranoid Conclusion

Using keypairs to verify authenticity of E-mail comes with a bonus feature, they can be used to encrypt E-mail to the point that it is “uncrackable”. Adding the signing capability to a service like GMAIL would also make it a lot easier for users to encrypt their E-mail, which would destroy Google’s business model since they read all of your E-mail to gather data. This is probably the #1 reason why keypairs have been ignored, with the #2 reason being pressure from world governments.

Your Thoughts?

My paranoid conclusion is not the only possible scenario, I would love to hear the opinions of other internet security experts on this issue.

Some Good News

You can implement PGP/GPG in your own E-mail and start using it with your friends, family and colleagues right away. And you should.  Visit the Electronic Frontier Foundation website to find some simple step by step tutorials for all platforms.

My Public Key: https://tailpuff.net/keys/

Contact Simba

About

I am a furry.

I am also a fierce athiest, patriot, American citizen, pacifist.

I like video games and toys and music and instruments and movies and books and tv.

We can talk! Send e-mail to learn more about me.

Contact

If you would like to contact me in a secure fashion, please send me an E-mail encrypted with my PGP Public Key which you can find below.

You can also find me on Matrix.org as ‘SimbaLion’.

Matrix.org Device IDs

Mobile: FAHUQEBZOT 
Desktop: QZAMXZCPEX

Channels Frequented:

Social Media

If you’re interested in my opinions, start here at my blog. I do use social media sometimes, but my thoughtful posts land here.

You can find me on Twitter but I don’t really use it anymore. Instead, follow me on Mastodon, @simba@pridelands.io.

E-mail

PGP Public Key

Fingerprint: 32FF 61C4 563D 7008 2239 598B D9C6 E8A1 E28C 16F4
64-Bit: D9C6 E8A1 E28C 16F4


Encryption, PGP and Keybase.io

Privacy matters. Encryption matters.

Everyone has heard that the united states government is spying on you. They probably aren’t the only ones. If you aren’t concerned that strangers are reading your emails and instant messages and tracking your browsing histories you really, really should be.

A strong encrypted solution to online privacy has existed since 1991 when PGP was invented. A lot of people think that key-pair encryption, also known as end-to-end encryption, is really complicated or technical but it isn’t.

How it works

You have two keys. a PRIVATE KEY and a PUBLIC KEY. Your PRIVATE KEY is kept private, and you give your PUBLIC KEY to the world.

Receiving encrypted files & emails

When someone wants to send you an encrypted message or file, they encrypt it using your PUBLIC KEY. You decrypt it with your PRIVATE KEY.

Sending encrypted files & emails

When you want to send someone else an encrypted message or file, you encrypt it using their PUBLIC KEY and the other person decrypts it using their PRIVATE KEY.

The Trust Issue

There is another consideration, how do you know if the PUBLIC KEY that claims to be from john.doe@example.com actually belongs to Mr. Doe? In the past the method was to create a “web of trust”. John would personally give you his PUBLIC KEY, and you would digitally sign it using your key. Then when John gives his PUBLIC KEY to someone else, they can see that you have vouched for it’s authenticity. The problem with this is that everyone needs to do it. This has been one of the greatest hurdles in the adoption of key-pair encryption.

Enter Keybase.io

The clever folks at Keybase.io have found a solution. Their service allows you to connect your PUBLIC KEY with various online identities, such as Twitter and Reddit, or websites which you control. These entities are considered trust-worthy, because we use them every day to communicate with our family, friends, and colleagues. This service practically solves the trust issue, eliminating the necessity for the “web of trust”.

Keybase.io will also help you with the creation of a key pair, which simplifies and standardizes the process for a lot of people. Keybase.io also generates seperate key pairs for each device that you use, be it a smart phone or a laptop or desktop. If you stop using a particular device (for example if your smart phone is lost or stolen) you can revoke the keys for that device, preventing someone from using it to impersonate you, without having to destroy your original PRIVATE KEY.

The Future, Transparency and Ease-of-Use

Encryption is the future. It is the future because the alternatives are too horrifying to live with, which is why we have books and movies like 1984 and The Matrix warning us about them years in advance. Privacy is sacred and as a race human beings are going to embrace it, whether the government likes it or not (they really don’t like it). There have been technical hurdles to overcome, but with open-source community funded projects like Keybase.io, I am confident that the future of privacy looks bright.