Monday, December 29, 2008

Email in the loop

Email seems to be a sort of universal escape hatch for otherwise automated schemes:
  • If you forget your password on many sites, or in some cases even if you forget your login entirely, you can have the site send a special email to an address you gave when you registered.
  • If you want to join a site, you'll often get an email containing a magic link to follow to complete the registration process.
  • The same scheme has been used for product registration.
  • If you want to join an automated mailing list, you'll typically get an email asking you to confirm that you wanted to join.
Why does this work? It's painfully clear that email is completely insecure on the sending side. Anyone can spoof anything without a lot of effort. I've sometimes received email from myself for products I'm pretty sure I'm not trying to sell myself (my evil twin, on the other hand, may have other ideas ...). However, receiving email is somewhat more secure. Generally you at least have to give a password and you can use TLS to help prevent various attacks. This is nowhere near ironclad, but it does help:
  • A random person trying to recover your password will have to know what email address you registered with and be able to intercept your mail.
  • Someone trying to register hordes of people on a particular site will have to make up a bunch of email addresses and have a bot ready to answer the confirmation mails. Hmm ... that doesn't sound like a particularly high bar, so maybe I'm missing something.
  • When you legitimately register a product, the seller now has an email address that it knows someone has replied to at least once (and presumably a pirate will use other means to get the use of the product).
  • A spammer can't add your email address to someone else's mailing list without your getting an email asking if you really want mail from that list. This doesn't cure all ills, but it at least cures one of them.
If all this sounds like a sort of lukewarm endorsement, it should. The fact remains that email isn't really secure and doesn't seem to be getting any more secure very fast (I'm aware of PGP and its cousins and offspring -- good stuff, but not widely deployed). I think what bothers me here is that the extra email step might give an exaggerated air of security. About the best that can be said in most cases is that if you send an email to a legitimate address, at least the intended recipient is likely to see it, and schemes that rely on this seem to work well enough in practice that they continue to be used.

[Access to email (the receiving side, above) has gradually become more secure.  HTTPS is now pretty standard and two-factor authentication is available.  SPAM and phishing are still significant issues, though SPAM filters seem to have gotten better faster than spammers have gotten better at getting around them.  As to the main point of the article, email seems to be just as much in the loop as it was when I wrote this. --D.H. May 2015]

No comments: