💾 Archived View for dj-chase.com › documents › email-security.mom captured on 2023-07-10 at 13:34:14.

View Raw

More Information

-=-=-=-=-=-=-

.TITLE "Email Security"
.PDF_TITLE "Email Security"
.AUTHOR "DJ Chase"
.
.nr TOTAL_SLIDES 25
.\" MOM Slideshow Stylesheet
.DOCTYPE SLIDES ASPECT 16:9 FOOTER "" "" "\*[SLIDE#]/\n[TOTAL_SLIDES]"
.HEADER_RULE OFF
.
.\" Heading pages
.de CENTER_HEADING
.	PP
.	SP 7
.	PP
.	SP 3
.	PP
..
.\" Headings
.HEADING_STYLE 1 FONT R NO_CAPS +2
.HEADING_STYLE 2 FONT R NO_CAPS +1.75
.HEADING_STYLE 3 FONT R NO_CAPS +0
.
.\" Lists
.ALIAS LIST_RESET "RESET_LIST"
.ALIAS DIGIT_LIST "PAD_LIST_DIGITS LEFT"
.
.rn ITEM LIST_ITEM
.de ITEM
.	ALD .25v
.	LIST_ITEM
..
.START
.
.
.PP
.SP 7
.PP
.HEADING 1 "Email Security"
.HEADING 2 "DJ Chase"
.
.NEWSLIDE
.HEADING 1 "It doesn't exist."
.SP 4
.LIST BULLET
.ITEM
Created in early 1960s
.ITEM
Networked version of system service
.LIST BULLET
.ITEM
Designed throughout 1970s & early 1980s
.LIST UP
.ITEM
All attempts to fix it are tacked on
.ITEM
CIA Triad & more
.LIST OFF
.
.\" #confidentiality
.NEWSLIDE
.HEADING 1 "Confidentiality problem"
.PS
define ciaTriad {
	C: box thick $1 wid 1.25 ht 1.25 "Confidentiality"; move 0.25
	I: box thick $2 wid 1.25 ht 1.25 "Integrity"
	move down 0.25 from C.sw; move 0.625; right
	A: box thick $3 wid 1.25 ht 1.25 "Availability"; move 0.25
	M: box thick $4wid 1.25 ht 1.25"More"
}

ciaTriad(1.33,-1,-1,-1)
.PE
.
.NEWSLIDE
.HEADING 2 "Encryption"
.SP 3
.LIST BULLET
.ITEM
Plain-text from end to end
.LIST BULLET
.ITEM
No client–server TLS by default
.ITEM
No server–server TLS by default
.ITEM
Messages themselves stored unencrypted
.LIST UP
.ITEM
Store and forward
.LIST OFF
.
.NEWSLIDE
.HEADING 3 "Server-side solutions"
.SP 2
.LIST BULLET
.ITEM
Require client–server TLS
.ITEM
Require server—server TLS
.LIST BULLET
.ITEM
Prevents users from sending to some domains
.LIST UP
.ITEM
Communicate directly with receiving server
.ITEM
Require encrypted messages
.LIST BULLET
.ITEM
Only works with handful of servers
.LIST UP
.ITEM
Password-based asymmetric encryption at rest
.ITEM
In corporate environment,
require employees to use webmail or IMAP
.LIST OFF
.
.NEWSLIDE
.HEADING 3 "Client-side solutions"
.SP 2
.LIST BULLET
.ITEM
Use TLS if available
.ITEM
Encrypt messages with PGP/GPG (Pretty Good Privacy / GNU Privacy Guard)
.LIST BULLET
.ITEM
Must have each others public keys
.ITEM
Can't use webmail
.LIST UP
.ITEM
Encrypt messages with S/MIME (Secure MIME)
.LIST BULLET
.ITEM
TLS-based — hard/expensive to get certificate
.ITEM
Nobody does this
.LIST UP
.ITEM
In personal environment,
use POP3 instead of webmail IMAP
.LIST OFF
.
.\" #integrity
.NEWSLIDE
.HEADING 1 "Integrity problems"
.PS
ciaTriad(-1,1.33,-1,-1)
.PE
.
.NEWSLIDE
.HEADING 2 "Sender integrity"
.SP 3
.LIST BULLET
.ITEM
No verification by default
.ITEM
From:
.ITEM
Return-To:
.ITEM
Sender: (anti-spam)
.LIST OFF
.
.NEWSLIDE
.HEADING 3 "Server-side solutions"
.SP 2
.LIST BULLET
.ITEM
SPF
(Sender Policy Framework)
.LIST BULLET
.ITEM
DNS-based
.ITEM
Restricts sender IP addresses
.LIST UP
.ITEM
DKIM
(DomainKeys Identified Mail)
.LIST BULLET
.ITEM
Header-based
.ITEM
Server certifies from address
.LIST UP
.ITEM
DMARC
(Domain-based Message Authentication, Reporting, and Conformance)
.LIST BULLET
.ITEM
DNS-based
.ITEM
Tells other servers how to handle SPF/DKIM errors
.QUIT_LISTS
.SP
.PP
Not part of basic standard —
negligent servers will happily deliver bad mail
.
.NEWSLIDE
.HEADING 3 "Client-side solutions"
.SP 3
.LIST BULLET
.ITEM
PGP/GPG
(Pretty Good Privacy / GNU Privacy Guard)
.LIST BULLET
.ITEM
Client-side
.ITEM
Key distribution
.LIST UP
.ITEM
S/MIME (Secure MIME)
.LIST BULLET
.ITEM
Client-side
.ITEM
TLS certificates
.LIST UP
.LIST OFF
.SP
.PP
Clients might be negligent, outdated, or may not care.
.
.NEWSLIDE
.HEADING 2 "Message integrity"
.SP 3
.LIST BULLET
.ITEM
Servers need to be able to modify headers
.LIST BULLET
.ITEM
Includes From:, Subject:, and other user-facing headers
.ITEM
Headers are stored in-band (same file),
so servers can also modify message body
.LIST UP
.ITEM
Store and forward
.LIST BULLET
.ITEM
Trust in third parties
.LIST UP
.ITEM
No end-to-end content verification
.LIST OFF
.
.NEWSLIDE
.HEADING 3 "Server-side solutions"
.SP 4
.LIST BULLET
.ITEM
Communicate directly with receiving server
.ITEM
DKIM (DomainKeys Identified Mail)
.LIST BULLET
.ITEM
Can provide message-body checksum
.ITEM
Breaks mailing lists
.QUIT_LISTS
.
.NEWSLIDE
.HEADING 3 "Client-side solutions"
.SP 6
.PP
None —
clients inherently trust servers
.
.NEWSLIDE
.HEADING 1 "Availability problems"
.PS
ciaTriad(-1,-1,1.33,-1)
.PE
.
.\" #availability
.NEWSLIDE
.HEADING 1 "Availability problems"
.SP 4
.LIST BULLET
.ITEM
Sending server may send to an impostor if not using TLS
.ITEM
E2EE emails become unavailable if recipient looses their private key
.ITEM
Emails encrypted at rest become unavailable if recipient forgets their password
.ITEM
If using POP3, the only copy of your emails are on your computer
.LIST OFF
.
.NEWSLIDE
.PP
.SP 2
.HEADING 2 "Server-side solutions"
.SP
.LIST BULLET
.ITEM
Use TLS
.LIST OFF
.SP 2
.HEADING 2 "Client-side solutions"
.SP
.LIST BULLET
.ITEM
Backup your private key
.ITEM
Backup your password
.ITEM
Backup your emails
.LIST OFF
.
.\" #more
.NEWSLIDE
.HEADING 1 "Other problems"
.PS
ciaTriad(-1,-1,-1,1.33)
.PE
.
.NEWSLIDE
.HEADING 2 "Attachments"
.SP 3
.LIST BULLET
.ITEM
Malware
.ITEM
Double file extensions
.ITEM
File icons
.ITEM
Poorly-designed document formats
.ITEM
…
.ITEM
mailto: ?attach
.LIST OFF
.
.NEWSLIDE
.HEADING 3 "Server-side solutions"
.SP 5
.LIST BULLET
.ITEM
Prevent attachments
.ITEM
Virus scanner
.LIST OFF
.
.NEWSLIDE
.HEADING 3 "Client-side solutions"
.SP 5
.LIST BULLET
.ITEM
Virus scanner
.ITEM
Warn on suspicious files
.ITEM
Restrict mailto: links to To:, Subject:, and body
.ITEM
Common sense
.LIST OFF
.
.NEWSLIDE
.HEADING 2 "HTML mail"
.SP 4
.LIST BULLET
.ITEM
Hyperlinks
.ITEM
Tracking pixels
.ITEM
Web browser
.LIST OFF
.
.NEWSLIDE
.PP
.SP 2
.HEADING 3 "Server-side solutions"
.SP
.LIST BULLET
.ITEM
Reject HTML email
.LIST OFF
.SP 2
.HEADING 3 "Client-side solutions"
.SP
.LIST BULLET
.ITEM
Pop-up with actual link address
.ITEM
Disable images
.ITEM
Show plain-text alternative
.LIST OFF
.
.NEWSLIDE
.HEADING 2 "Content"
.SP 5
.LIST BULLET
.ITEM
Phishing
.ITEM
Scams
.ITEM
Images instead of text
.LIST OFF
.
.NEWSLIDE
.HEADING 3 "Solutions"
.SP 5
.LIST BULLET
.ITEM
Spam filtering
.ITEM
Common sense
.LIST OFF 
.
.NEWSLIDE
.HEADING 1 "Email Security"
.SP 7
.PP
All security enhancements are add-ons,
and you can't make all parties use them.
.
.NEWSLIDE
.HEADING 1 "Sources"
.SP 7
“History Of Email”
In: \fIWikipedia\fR;
Wikipedia, The Free Encyclopedia;
2022-06-30;
.br
.HYPHENATION OFF
https://en.wikipedia.org\:/wiki\:/History_\:of_\:email\:?oldid\:=1101352677