this post was submitted on 24 Dec 2023
22 points (80.6% liked)

cybersecurity

3248 readers
3 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
22
Why can't we fix email? (infosec.pub)
submitted 10 months ago* (last edited 10 months ago) by [email protected] to c/[email protected]
17 comments fedilink hide all child comments
 

The Internet and email is old at this point.

It can be reasonably argued that email links are a significant threat vector right now.

So far, we just keep trying to sandbox links or scan attachments, but it's still not stopping the threat.

My questions for comment:

  • Would removing anonymity from email reduce or remove this threat? If business blocked all uncertified email senders, would this threat be gone?
  • Why can't we do PKI well after a few decades?
  • Does anyone believe PKI could apply to individuals? In the context of identity for email, accounts, etc?

I see services like id.me and others and wonder why we can't get digital identity right and if we could, would it eliminate some of the major threats?

Image credit: https://www.office1.com/blog/topic/email

Edit, post not related to the site or any service, just image credit.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 11 points 10 months ago

E-mail is a lingua franca. It's used not because it's superior, but because you don't have to worry about whether your recipient is using the right software setup to receive your message. It's the lowest common denominator of internet messaging and can only be replaced in that role by a new lowest common denominator.

  • A company that rejected basic email would necessarily be rejecting some percent of legitimate messages and/or increase their IT costs. While this doesn't mean it's impossible, it would be at least be a painful transition. Users will hate it.
  • Adding PKI just amplifies the software setup problem because now you have to worry about primitive selection, centralized authorities, key lifecycle management, etc. And there's no way for the sender and recipient to negotiate security parameters, so they have to be agreed on in advance, something basic email doesn't need.
  • PKI is too finicky and abstract for the average user to understand or care about. We can't reasonably expect them to make good decisions about a subject that even professionals and large organizations struggle to understand. A big reason for email's longevity and success is that the average user doesn't need to understand it at any technical level.