Menu Sign In Contact FAQ
Banner
Welcome to our forums

What's happened to secure email?

Hmmm I recognise a few of the above disasters, starting with PCI-DSS which forced my little firm to pay almost double the commission for credit card processing – because we could no longer deal with the exhausting requirements, e.g. they would port scan our server and if they found we run an SMTP server on the same IP as the online shop they would throw us out

SSL/TLS only encrypts the data between the email client and the server. That happens anyway if you are accessing webmail (e.g. gmail) which uses https.

I guess the answer to my original Q is that few people care about who reads the stuff.

But none of this deals with authentication of incoming emails. At least I would have expected to see a big takeup of DKIM, perhaps with email app functionality to use it even if the email provider doesn’t.

Administrator
Shoreham EGKA, United Kingdom

PCI-DSS doesn’t prohibit services being on the same IP address. It does generally require services be separated out onto different servers (but these servers can still share the same public IP address – which is easy to do with any firewall made within the last 20 years. They don’t have to be on different physical machines either, virtual servers or other similar containers are fine). We have dozens of different services behind the same public IP address and reverse proxy, for example, and the auditors are just fine with that.

Of course the way cardholder not present transactions are done is yet another example of the tremendous inertia that stops simple improvements being made. IMHO, all cardholder not present transactions should require at least two factor authentication – relying on a static number printed in plain text on a plastic card is not really good enough in this day and age, and the PCI instead of actually fixing the root cause are instead pushing the costs onto everyone else to protect this awfully insecure way of doing payments. Even in fully compliant organisations you can easily end up with a breach and a bunch of fraud (the auditor for our ROC told us about the one company who had a staff member who simply memorised card numbers and CVVs, and then would run up a bunch of fraudulent charges. Their IT network was absolutely perfectly secure from a PCI-DSS standpoint, but when you take credit cards over the phone all it takes is a person with a good memory, something that would be prevented by 2FA)

There’s also an interesting book called “Other People’s Money: The Rise and Fall of Britain’s Most Audacious Fraudster” written by a credit card fraudster, and basically he defrauded people of a lot of money by social engineering and exploting the holes the credit card issuers left in.

Last Edited by alioth at 11 Aug 22:13
Andreas IOM

PCI-DSS doesn’t prohibit services being on the same IP address. It does generally require services be separated out onto different servers

That is surely complete bunk, in security terms

You could run different servers on the same hardware, under VMs, and nobody could tell from the outside that you are doing it.

One thing I don’t get is why ISPs (I use the word in the context of who provides incoming email filtering, for most email users) don’t provide a user interface which would enable the customer to configure whitelisted domains while stipulating that should be a hard whitelist if DKIM passes. That might drive DKIM adoption, over time. It would also provide a base for end to end email security, with those people. The large number of “secure email” providers just ensures that most people will not bother – except those who need to communicate securely only with a small group of other people.

Administrator
Shoreham EGKA, United Kingdom

Peter wrote:

That is surely complete bunk, in security terms
You could run different servers on the same hardware, under VMs, and nobody could tell from the outside that you are doing it.

That’s perfectly acceptable under PCI-DSS. They require services to be containerised, and virtualisation is a perfectly acceptable way of achieving that. In any case, the public IP address(es) tell you nothing about the underlying architecture, so no PCI-DSS assessor should be making an assessment based on what’s on a particular IP, and if they attempt to do so, they aren’t doing their job. You can just as easily have multiple IPs going to the same container or virtual machine as you can have one IP address going to 18 different ones. A PCI assessor that tries to judge what’s going on by the number of services behind an IP isn’t doing a competent job (especially as it’s getting increasingly hard to get more than one public IP address per organisation, due to the shortage of IPv4 address space. The last justification was for SSL websites needing unique IP addresses, but now with SNI being ubiquitous, that excuse has gone away).

Also if you’re doing a certain volume of transactions, they don’t just look from ‘the outside’, for high volume transaction organisations you get actual auditors coming in, as well as internal penetration testing (not merely a scan) and they want to see architectural diagrams and evidence that the architectural diagrams actually represent reality, they want to see firewall rules, they want to see examples of safe software development practises etc. etc. When we were doing high volume work using payment cards, the report of compliance involved a full six weeks of auditing. It was a bit more than scanning your public IP space!

Andreas IOM

In this day and age of big data and intrusive personal data harvesting, the OpenPGP web of trust (and any similar structure) is also a “who knows who / has met who” graph, easily collectable. The balance of risks, and its perception, has changed. The backtrack we had on secured (yet highly federated) communication is part of what I emotionally consider the geek/hacker’s dream failure, and one of the reasons that computer enthusiasts (of that kind) now think “I don’t like computers anymore”. They have gone from tools of empowerment to tools of oppression. The writing was on the wall, we could have seen it, but we, as a group, largely didn’t. Computers multiply power; when only the “little guys” were using them (effectively), they empowered “anybody technically proficient”, with the hope that it would soon be “anybody”. Now, they just increase the power gap between the already powerful and the commoners.

ELLX

I agree; however the really good way to get your data (I mean virtually everything about your private life) harvested, analysed, and sold, is to use Gmail for email

Or some other large webmail provider.

All the time you use “normal” email, with your (little local) ISP providing a POP box or whatever, or running your own POP server and using some 3rd party email filtering service (I use Messagelabs; not cheap but outstanding) there isn’t likely to be anybody reading and analysing your emails.

And if you use secure email of some sort, nobody is likely to see who you are communicating with. Well, the GCHQ/NSA probably have links to ISPs but who cares about that?

I agree that public key publication is very tricky from the privacy point of view because, of necessity, anybody needs to be able to see it and verify it.

Administrator
Shoreham EGKA, United Kingdom
16 Posts
Sign in to add your message

Back to Top