Computer Security: e-mail is broken and there is nothing we can do
Have you ever received an e-mail from a friend or someone you know and been surprised or appalled by its contents? Or, worse, have you have received a response to an e-mail that wasn’t written by you? Maybe with similarly surprising or appalling contents? If yes, welcome to the insecurity of the mail protocol, where nothing is as it seems…
No, this time we are not talking about “phishing” or malicious attachments but the very basics of the e-mail protocol. “SMTP” aka the “Simple Mail Transfer Protocol” is exactly what it says: very simple! In many respects, e-mails are identical to physical hand-written letters: you cannot deduce from the sender’s address nor from the message text whether it has really been sent by that person. Impersonation has never been as easy as with the SMTP protocol. Due to its simple design, I can pretend to be Mickey Mouse, Harry Potter or anyone else, and send you text messages resembling or contradicting Mickey’s opinion and thinking, deeply offend Hermione, bluntly lie to you, or try to lure you into disclosing secrets to me like your password (“Phishing”, you may recall). But the risk is not only that you are spammed with unwanted messages, the bigger risk is that I can diminish your reputation by sending offensive, weird or embarrassing e-mails in your name…
And there is not much we can do on the mail service or security protection side*. E-mail address spoofing is permitted by the protocol. Technically, we cannot block or filter legitimate, but misused, sender addresses – that would deeply affect the free communication of legitimate users with/to/from CERN. For the same reason, we cannot just block certain mail server addresses. And we shouldn’t, if we value the academic freedom of CERN (see our Bulletin article on “WWW Censorship? Not at CERN”). In order to combat malicious e-mails, we will soon deploy an advanced filtering engine, which will dynamically analyse all e-mails for malicious content and reject any problematic messages. But this will not cover e-mails that arrive with somehow legitimate and valid content – even if this content is wrong, offensive, contradictory, etc.
This implies that we all have to live with this kind of SPAM. And that we have to live with the fact of someone writing in our name… And hope for the recipients that they contact you to inform you of the nonsense they’ve received so that you can rectify the problem. Conversely, if you really want to be sure that the mail you just received is legitimate and comes from the person who it claims to be coming from, use common sense. Are you expecting such a mail from him/her? Do the content and context make sense? Could you call him/her to cross-check? Or, for the more technophile among you, digitally sign your mails so that the recipient can verify their real origin - you: for Microsoft Outlook, for the Mac OS mail client and for Thunderbird. Dedicated instructions for using S/MIME at CERN can be found here.
* The mail industry is trying to solve this issue with new restrictions like the SPF, DKIM and DMARC initiatives. However, as mailing lists can be incompatible with these new security features, none of them have been widely deployed, so far at least...
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team