January 20, 2004

Email: to sign or not to sign?

Author: Joe Barr

If you participate in non-techno-geek mailing lists, and you also make a habit of "signing" your mail in compliance with the open standards articulated by RFC2015/3156, you've undoubtedly run into questions about what you're doing and possibly even criticism for doing it. At least that's been my experience over the past couple of years on mailing lists as low-tech as one dedicated to raising donkeys and mules and as high-tech as tech journalism. Well, on second thought, maybe those are both low-tech. But in any case, I've been asked to stop signing messages on both lists. The question is what to do: continue swimming upstream or give in and go with the flow?

Memo to self: Write thank-you note to Reuters for their recent story on the cost of coping with email-borne computer viruses in 2003. If you missed the story, last year's total cost was estimated to be fifty-five billion dollars. It's expected to be more in 2004.

Why the thank-you? Because they provide me with a quick, easy answer that people are a lot more likely to understand than my best effort at explaining how the practice of using a cryptographic signature on the mail you send and checking secure signatures on mail you receive can virtually eliminate the epidemic.

In the past, I've tried to explain a little bit about why I sign my mail and what it does, and perhaps provide a link to Karsten Self's famous rant on the subject. But I've a feeling that 99 times out of a 100, eyes glaze over long before any real knowledge transfer has occurred.

But thanks to Reuters story, I can now put a $55 BIG price tag on the issue. That figure is sure to snap some of those glazed eyeballs back to wide-eyed attention. You don't have to be technically evolved to understand that is a whole lot of money. If only it holds their attention long enough for me to explain that if everyone were using the proven, open standards based, security technique of adding a cryptographic signature to the mail they send, and if they also checked for a valid signature on the mail they receive, the problems of both email borne infections and spam could virtually be stopped in their tracks.

Most email-borne infections these days spread themselves by sending mail from the current victim's email address to whomever it can find in the victim's address book. It's called spoofing, and it's the email equivalent of the same tactic sometimes used with bad intentions on the Internet, when packets are sent using forged IP addresses.

It's just human nature to be more trusting of mail we receive from Aunt Nadine
or a co-worker than we are with mail from a stranger. So the infections spread like wild-fire. Virus checkers can help, but only after two important things have happened. First, the virus has to infect enough people to get noticed by one of those vendors reaping the bulk of the $55 BIG mentioned earlier. After that, you have to have updated your virus checker to include the new viral fingerprint. But the horse, she would never get out of the barn in the first place if Aunt Nadine signed her mail, and you checked to be sure it was a valid signature.

Memo to Karsten Self

But peer pressure is as alive and well in this fifty-something old geek as it ever was, and when a couple of people I know and respect asked about what I was doing recently, and then asked why I bothered to do it, I decided it was time for some serious soul-searching on the subject. And also time to check to see if Karsten Self is still signing his mail. So I wrote to him just that, and a couple of other questions as well.

To my first question, he replied:

I sign the stuff I write myself. Which isn't quite as trite as it
sounds -- I generate a fair number of automated or semi-automated LARTs
to Swen and Spam mail. Though I'm thinking of a way I can do an
unattended clearsigning of these. Unfortunately, too many ISP help desk
systems can't accept MIME attachments .

Clearsigning's an alternative. Which I'd like to do to authenticate my
reports (which I think are useful). I looked briefly for gpg-agent,
which apparently functions a bit like ssh-agent to allow unattended
signing, without risking keys to filesystem storage. Or I could use a
single-use, non-password-protected signing key as a mild for of
assurance.

Other than those exceptions, though, he says that he continues to sign "pretty much all my personal mail."

I also asked him if he thought there were more or fewer people signing their emails today than when he first put his rant online in 2001. He replied:

I have no idea.

The rant's been remarkably popular, and it's mirrored at a number of
sites -- several of which score higher in Google searches than my own
copy! I think the language may not make for the best evangelizing,
though it's popular for the converted.

One thing I _have_ noticed is that I see far fewer people complaining
about GPG/PGP signatures than when I first wrote the rant. None in the
past couple of years. I think that general awareness of security and
the possibility of signing and encrypting email is very, very, very
slowly dawning in the general population. It's at the "I know that
people can do it, but I don't know how I can or how much trouble it
would be" level for most folks with at least a general exposure to
computers.

Some email-based systems such as domain registration now provide an
option for GPG/PGP signing requests for account and domain changes,
which is a very good step. The ongoing erosion of personal liberties in
the US under the so-called "Patriot" act has also increased public
awareness of privacy and surveillence issues, though given the starting
point that might not be saying much.

Ongoing issues with spam and mail authentication may help. I'm seeing
about 3k spams a month, doubling every 6-12 months. In another year or
so, email over dialup is going to be impractical -- regardless of
filtering, the download requirements will be too high. Various forms of
MTA and user authentication may become part of widely-used spam
defenses, and I see a role for GPG here. The real nut though is MS
Outlook -- virus propogation system of choice for the majority of the
online world. While there are proprietary PGP plugins available, there
is no default support for any encryption/authentication system. What
I've seen suggests Microsoft prefers the S/MIME standard, which has a
number of features I see as less desireable than GPG.

It's also particularly annoying that Microsoft software's dependence on
filename extensions means that your average legacy MS Windows user is
stymied by a perfectly readable plain-text attachment which lacks an
extension....

I do see a lot of signed mail on GNU/Linux and Debian oriented lists,
which I read extensively, which is a Good Thing. And the n00bs who ask
about it are frequently pointed at my rant by the time I've stumbled
across the discussion, which lends its own satisfaction.

Here's my decision, what's yours?

I decided that if Karsten can continue to carry the torch, so can I. But then I have a 3rd degree blackbelt in gadfly and a rep for swimming upstream. Chalk my questioning of signing up to lapse in judgement caused by fatigue and a higher than normal amount of just wanting to get along.

But what about you? Do you think signing your email is a good idea? Good enough to actually do it? Or do you think it is a futile waste of time, and much easier to just go with the flow from the River Redmond?

Category:

  • Security
Click Here!