On 12/11/2021, Sebastian Nielsen via mailop wrote:
Hi.
(snip)
Note here, that if full body is signed, the content of the QR code
signature, and the DKIM-Signature: field, will differ by the bh=, as the
email without QR-code embedded will be signed in the QR-signature, and
the header DKIM-Signature will have the email WITH the QR-signature.
This should be completely valid, otherwise a chicken&egg problem would
appear if the signature must be a signature of itself.
On principal I do not like anything that modifies a message body or most
of the MUA (mail user agent) provided headers in flight. The sender or
the receiver can modify these to suit their needs, but not any other
systems. Sender or receiver can be a business entity or an individual
user; to my mind the test I would use is who "owns" the mailbox.
Employees of a business entity do not own the mailbox, the business does.
(snip)
This allows a user, to be able to DKIM validate an email EVEN if the
receiving system has no support for DKIM validation at all, neither the
client or receiving mail server. This would increase trust for email, as
users that suspect an email with an embedded link is phishing, could
easily scan the QR code with his mobile phone, and instantly know the
email is legit.
It sounds like you want sweeping changes to MUAs to support this, and I
feel that it would be easier to get MUAs to support the already existing
DKIM and DMARC standards, even easier would be to find a mailbox
provider that will do this for you. Attempting to get phone MUAs to
support something like this DKIM-QR, when I have yet to find one that
supports IMAP subscriptions, is umm... Going to be hard.
Having said that, I do not know how much unwanted mail is stopped by
DMARC mis-alignment... I simply do not have stats. I do suspect that
most of the traffic such systems would catch would be bot-generated
email, and not much else. Most of the phishing that I do see is from
dedicated spammers willing to pay for both domains and IP addresses;
stolen user accounts; and free-mail providers with poor outbound abuse
handling -- I'm looking at you Gmail. DKIM/DMARC isn't going to solve that.
Security considerations:
If a phisher steals the QR code, he would not be able to use it, because
the Date: will be different. It would be immediately clear to the
receiver that its an old signature that have been wrongly reused.
Since the To: is included in the validation popup, it would also be
evident to the original user that the To: address doesn’t match.
And misusing a QR for one email, to send a phishing email with another
content, would also be evident either by the subject tag not matching
the content of the email, or the subject tag not matching whats shown in
validation popup.
There is a risk that someone might include a malicious link instead of
dkim:// in QR-code, but since all the QR scanner apps today ask the user
if they want to open the link, the danger decreases.
Also another thing is that mobile phones are today inherently more
secure, as they, unless configured, will refuse to install binaries from
unknown sources and isolate apps from each other, meaning that even if a
dangerous link would be mistakenly opened, nothing would install without
clicking through multiple consent windows.
This would bring DKIM more to the masses, by senders being able to put
in a “Scan-To-Verify” DKIM-QR in emails, also prompting users to verify
their emails.
Would love to hear the toughts about the idea.
The last issue that I have here is the use case for users, and just how
many of them you would expect to find the feature useful. It seems to
me that the vast majority of email's user base just doesn't care,
doesn't want to go though extra effort, and/or believes that this is
something that mailbox provider should be doing for them for them.
--
SgtChains
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
