Re: [Full-Disclosure] [LONG] Improving E-mail security...
lceone_at_comcast.net
Date: 08/27/03
- Previous message: Justin Shin: "RE: [Full-Disclosure] CERT Employee Gets Owned"
- In reply to: Bengt Ruusunen: "[Full-Disclosure] Improving E-mail security..."
- Next in thread: Ron DuFresne: "Re: [Full-Disclosure] [LONG] Improving E-mail security..."
- Reply: Ron DuFresne: "Re: [Full-Disclosure] [LONG] Improving E-mail security..."
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] [LONG] Improving E-mail security..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Tue, 26 Aug 2003 23:05:15 -0400
Bengt Ruusunen wrote:
> - E-mail receiving server could check that 'very first original' From:
> line and if it is same than the receiver address ie. 'someone@someone.com'
>
> Perform an check to see if the 'sender identification' ie. salted public
> key, GUID or something (X-Authenticated-Guid: #0a845d299ca340087140)
> exists in mail header.
Sort of like a required, server based, pgp check?
<OPINION>
I think it's just about time that we stop patching over this dinosaur
protocol that we call SMTP (RFC 821 from *August 1982*). This protocol
was originally designed to send text messages from one machine to
another back in the "Good Ol' Days" when the internet was safe because
it existed at two schools and a government institution.
Then as the years went on, the protocol became inadequate. e.g. it only
allowed for a message to use the 128 ASCII character codes. So instead
of re-evaluating and rewriting the protocol, we've patched it. We added
MIME, because that made it easier to send each other HTML formatted
email and pictures of our cats. We added PGP, but not frequently or in
a consistent manner. We added pretty features, but we've neglected any
security that should have been added, or problems fixed (feature bloat
anyone?).
But you cant do that. You cant build a big house on a small foundation
or it will crumble. Today's *constant* problems/viruses/spam/etc is the
crumble showing itself. It will only get worse from here. Seriously,
we shouldn't have to think twice about simply viewing an email for fear
of self-executing viruses. That should not be an option.
<SEMI-FACTUAL BABBLING>
About spam. This problem, I think, mainly arises from the fact that the
spamming server can connect to domain.com, transmit one copy of the spam
email, and send it to 100,000 users, from anyone, to anyone, no
questions asked. This puts a huge load on the receiving server, and
comparably minimal load on the sending server (depending on message
size). If the protocol was rewritten to allow only "one for one"
sending, maybe this would slow them down? I dunno, just a thought.
Oh! And *maybe* we could make relaying OFF by default! Wacky ideas.
</SEMI-FACTUAL BABBLING>
So maybe it would be in the best interest of the internet community if
someone stopped and took a look at what the requirements for a good
communications protocol to replace email would be, and tried to put one
together from the ground up. Security, features, and all. Heck, if I
can get a group together, I'll take a crack at the darn thing myself.
But I don't claim to be any sort of expert on anything (except maybe the
semi-factual babbling), so I'd need a good group.
</OPINION>
Just my $0.10
-Larry Engleman
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Justin Shin: "RE: [Full-Disclosure] CERT Employee Gets Owned"
- In reply to: Bengt Ruusunen: "[Full-Disclosure] Improving E-mail security..."
- Next in thread: Ron DuFresne: "Re: [Full-Disclosure] [LONG] Improving E-mail security..."
- Reply: Ron DuFresne: "Re: [Full-Disclosure] [LONG] Improving E-mail security..."
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] [LONG] Improving E-mail security..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
