I just saw an interesting observation on the dmarc-discuss mailing list. Apparently some of the larger providers who are implementing DMARC for inbound email may not be handling some of the grubbier corners of the spec perfectly. That’s not surprising at all – early adopters tend to deploy code that implements early versions of the draft specification – but I can see this...
Last week Alice and Bob showed how to cryptographically sign messages so that the recipient can be sure that the message came from the purported sender and hasn’t been forged by a third party. They can only do that if they can securely retrieve the senders public key – which means they need to retrieve it from the actual sender, rather than an impostor, and be sure it’s not...
Alice and Bob can send messages privately via a nosy postman, but how does Bob know that a message he receives is really from Alice, rather than from the postman pretending to be Alice? If they’re using symmetric-key encryption, and Bob is sure that he was talking to Alice when they exchanged keys, then he already knows that the mail is from Alice – as only he and Alice have the keys...
DMARC is a way for a domain owner to say “If you see this domain in a From: header and it’s not been sent straight from us, please don’t deliver the mail”. If a domain is only used for bulk and transactional mail, it can mitigate a subset of phishing attacks without causing too many problems for legitimate email. In other cases, it can cause significant problems. Some of...
Untrusted Communication Channels This is a story about Alice and Bob. Alice wants to send a private message to Bob, and the only easy way they have to communicate is via postal mail. Unfortunately, Alice is pretty sure that the postman is reading the mail she sends. That makes Alice sad, so she decides to find a way to send messages to Bob without anyone else being able to read them. Symmetric...
A decade or so ago it was fairly rare for cryptography and email technology to intersect – there was S/MIME (which I’ve seen described as having “more implementations than users”) and PGP, which was mostly known for adding inscrutable blocks of text to mail and for some interesting political fallout, but not much else. That’s changing, though. Authentication and...
Mark Nottingham (@mnot) posted a good idea to twitter: Highlight e-mails that your MTA receives with TLS. Make sure to include your mail server’s name in the value (here to the left of what’s shown) Mail.app has client support for mail routing rules. Out of the box all they’re configured to do is highlight mail from Apple, but Mark is adding a rule to passively...
Who didn’t invent email? Shiva Ayyadurai. He’s not the only one – I didn’t invent email either, nor did Abraham Lincoln, Boadicea or Tim Berners-Lee. So why mention Shiva? He claims that in 1978 when he was 14, he took some courses in programming. His mum worked for the University of Medicine and Dentistry of New Jersey, and one of her colleagues challenged him to write an...
The history of long distance communication is a fascinating, and huge, subject. I’m going to focus just on the history of network email – otherwise I’m going to get distracted by AUTODIN and semaphore and facsimile and all sorts of other telegraphy. Electronic messaging between users on the same timesharing computer was developed fairly soon after time-sharing computer systems...
Many aspects of email are a lot older than you may think. There were quite a few people in the early 1970s working out how to provide useful services using ARPANET, the network that evolved over the next 10 or 15 years into the modern Internet. They used Requests for Comment (RFCs) to document protocol and research, much as is still done today. Here are some of the interesting milestones. April...
RSS - Posts