Skip to content

Archives

Jon Udell’s forged S/MIME signature, and spam

Spam: Jon Udell: How to forge an S/MIME signature, and Liudvikas Bukys’ take on the results: ‘Jon Udell tries his hand at S/MIME signature forgery, revealing that PKI is not a panacea. A digital signature proves something. The proof is strong but the something is weak (if it just demonstrates that you clicked a few things to get a persona certificate).’

He then suggests two ways to use this info in useful ways:

The first is ‘higher-class certificates (where certificate authorities demand more proof, and encode that fact in the certificate). But higher quality means harder to get and less actual deployment. And higher quality means more attractive target for theft of keys.’

In the anti-spam case, it also means that you trust the certificate provider to both (a) accept money from their customers to issue them certs, and (b) take away those certs from their own customers if they infringe by sending spam messages. This is the hard part. There’s an active financial disincentive for a company to do this; the people who benefit (the end-users) are not their paying customers, whereas the people who get hurt (the infringers) are. Economics dictates that they water down the requirements, in order to maximise their profits — making the system useless.

On the other hand we have: ‘reputation systems. Of course, building robust reputation systems is not easy. Users may wish to have multiple sources of reputation information to fit their own definitions of good and bad behavior and how fast those judgments are made. It replays the whole DNS blacklist deployment. Some reputation systems may seem arbitrary and capricious. Others may be too slow or too tolerant. They are all lawsuit targets. Will there be too many to choose from?’

‘zackly. An excellent illustration of how S/MIME or other PKI will not solve the spam problem, and we’ll still have the same DNSBL situation as we have now (although hopefully working a lot better).

S/MIME may solve the forged-email problem, like SPF does — however, like SPF it will still need to work with reputation systems to be usable as an anti-spam scheme.