The Internet and email is old at this point.

It can be reasonably argued that email links are a significant threat vector right now.

So far, we just keep trying to sandbox links or scan attachments, but it’s still not stopping the threat.

My questions for comment:

  • Would removing anonymity from email reduce or remove this threat? If business blocked all uncertified email senders, would this threat be gone?
  • Why can’t we do PKI well after a few decades?
  • Does anyone believe PKI could apply to individuals? In the context of identity for email, accounts, etc?

I see services like id.me and others and wonder why we can’t get digital identity right and if we could, would it eliminate some of the major threats?

Image credit: https://www.office1.com/blog/topic/email

Edit, post not related to the site or any service, just image credit.

  • bahbah23@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    11 months ago

    Would you mind pointing me at research that demonstrates that email links are the number one threat vector right now?

  • Melllvar@startrek.website
    link
    fedilink
    English
    arrow-up
    11
    ·
    11 months ago

    E-mail is a lingua franca. It’s used not because it’s superior, but because you don’t have to worry about whether your recipient is using the right software setup to receive your message. It’s the lowest common denominator of internet messaging and can only be replaced in that role by a new lowest common denominator.

    • A company that rejected basic email would necessarily be rejecting some percent of legitimate messages and/or increase their IT costs. While this doesn’t mean it’s impossible, it would be at least be a painful transition. Users will hate it.
    • Adding PKI just amplifies the software setup problem because now you have to worry about primitive selection, centralized authorities, key lifecycle management, etc. And there’s no way for the sender and recipient to negotiate security parameters, so they have to be agreed on in advance, something basic email doesn’t need.
    • PKI is too finicky and abstract for the average user to understand or care about. We can’t reasonably expect them to make good decisions about a subject that even professionals and large organizations struggle to understand. A big reason for email’s longevity and success is that the average user doesn’t need to understand it at any technical level.
  • D61 [any]@hexbear.net
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    11 months ago

    Would removing anonymity from email reduce or remove this threat? If business blocked all uncertified email senders, would this threat be gone?

    So as a goober that keeps getting jobs where my employer mandates that I am assigned an email address from their private email system, is told to “practice cyber security awareness” blah blah blah, and then is immediately spammed by internal emails with a shit ton of links (from people who are strangers to me but actually work for the same employer) from inside the org, I don’t think removing anonymity would eliminate the threat. I’m being habituated into opening, reading, and encouraged to click links from “strangers” by my employer.

    It might make it easier to for an attacker to ID a target though.

  • HubertManne@kbin.social
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    11 months ago

    I want a government email. I think the usps should run one that allows for official government communiction in an isolated inbox and then another isolated inbox for communication that would require a penny and an individual and a last inbox that allows for companies and such to send to you for a fee and it would be encrypted. I wold keep it separate from normal email but at least you could be sure of who the sender is and it would make government communications easier.

    • MSgtRedFox@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      3
      ·
      11 months ago

      Interesting. I do wish our government identity extended to online. Instead of signing into a bunch of websites with a Google account, I think a us government or state account would be nice. One account, PKI in your driver’s license or some other passkey like device.

      I guess the trade would be protection of that digital ID and the system running it. We already have identity theft. I hope it would be harder if you have to digitally sign a bunch of stuff with you driver’s license. Most people probably don’t have experience with common access cards or tokens though.

      • HubertManne@kbin.social
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        11 months ago

        yes and you should never have to worry about losing it do to it being like canceled and you should be able to clear up any support issues at the post office.

  • jaredj@infosec.pub
    link
    fedilink
    English
    arrow-up
    2
    ·
    11 months ago

    There are many ways to be more selective about from whom to accept email. SPF, DKIM, DMARC, and various blacklists are among them. They are supposed to make life harder for spammers. But they have also made running a mail server something that few dare to try anymore. Setup is not easy, but getting blacklisted is, and it causes silent delivery failure, and takes days of work to fix.

    As a result, most of the email is run by Microsoft and Google. But that didn’t stop phishers. They just go after people at smaller companies where security isn’t as tight yet, and then they’ve got valid Microsoft accounts to send from. Liars and Outliers by Schneier is about this sort of dynamic.

    As for PKI: If I may assume you to be, or have been, affiliated with an armed service – Whose property is your CAC? And why did you use a pseudonym to make this post? (I mean to be pithy, not sarcastic.) I think Liars and Outliers by Schneier is all about this sort of thing - but I didn’t get much of it read before it was due back at the library.

    • MSgtRedFox@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      Yeah, my frustration with how we’ve centralized email on those enterprises is that criminals and spammers can just get accounts, pay marketing fees, malware ads, etc.

      Even PKI is frustrating in that it’s both a racket where only a couple can do it for good reasons, they can almost charge whatever they want, and still there’s places where you can get certs minted with almost no validation.

      I initially hated token login, but after you realize you never need passwords, to remember accounts, and it works for signing documents.

      I’m not says you shouldn’t still have a private selection, but I wish we had a certified solution that could reduce deception. Or at least I would direct all non certified senders to spam.