Security people: why is this idea dumb?
Reflections on the occasion of watching someone fairly sophisticated narrowly avoid getting phished about an hour ago.
(Unsubstantiated) Claim: a lot of phishing attacks are forged to appear to come from a fairly narrow range of relatively sophisticated companies — email providers, connectivity providers, financial institutions, etc.
Thought 1: “why can’t these companies use standard off-the-shelf public key crypto to digitally sign emails?”
Objection 1: well, the people who are going to be likely victimized by phishing attacks aren’t likely to be able or willing to figure out how to use GPG, plus the key exchange problem.
Reply 1: why can’t companies distribute to their users, on sign-up, a very lightweight signature-verification app that hides all the crypto details? I’m thinking something that the user just clicks, and it pops up a text entry box; the user pastes the message in the box, and it verifies the authenticity of the message. The app could auto-update with the latest public key from the company. It could also be distributed as email/browser plugins, etc.
Objection 2: well, that would still be an attack vector, people could compromise the distribution of the verification app, compromise the fetching of new keys, etc.
Reply 2: but at least potentially those things would be harder to compromise than convincing people to click on phishing emails currently is.
Objection 3: that might work with plain text email, but what about HTML email with embedded images and such? Is what the user copy-pastes in the box going to be the same as what the company signed?
Reply 3: if that’s a serious problem, then just don’t send HTML email for stuff that asks your users to do potentially dangerous things, and tell your users not to click on links in HTML email purporting to be from you.
Objection 4: but will people actually install and use it?
Reply 4: for installation, at least people’s employers can force them to do so. For use, at least some number of people would use it, and those people are people who don’t get phished. Plus <lawyer hat>that might make a nice defense for companies who get sued for inadequate security against users who had an option like this but chose not to use it (although I’m not sure if companies are getting sued on the theory that it was too easy to forge emails from them… wouldn’t surprise me though, the creativity of the plaintiff bar is endless)</lawyer hat>
Objection 5: wouldn’t that just make people dumber? We should be teaching people to recognize phishing messages and have good security practices, not rely on a black box.
Reply 5: say hello to my friend, Mr. Reality. Also, by that logic, every security innovation out there, from virus scanners to corporate attachment deletion to turning off Microsoft macros would be a bad idea.
Objection 6: how many of these apps are people supposed to install? One from their email provider, one from the bank, etc. etc.
Reply 6: that sounds like an opportunity for an enterprising startup or a crypto-minded activist group (Open Whisper Systems, are you listening?) to build something that would collect all the keys, like a single install app pulling from a central keysever. Having one secure trusted place to get trusted public keys from banks, email providers, etc. doesn’t seem too bad. Remember, we’re talking about a handful of companies, not thousands of people, so they can more easily verify the authenticity of keys they deposit.
Objection 7: ???? What have I missed?
