.TITLE "Email Security" .PDF_TITLE "Email Security" .AUTHOR "DJ Chase" . .nr TOTAL_SLIDES 25 .\" MOM Slideshow Stylesheet .DOCTYPE SLIDES ASPECT 16:9 FOOTER "" "" "\*[SLIDE#]/\n[TOTAL_SLIDES]" .HEADER_RULE OFF . .\" Heading pages .de CENTER_HEADING . PP . SP 7 . PP . SP 3 . PP .. .\" Headings .HEADING_STYLE 1 FONT R NO_CAPS +2 .HEADING_STYLE 2 FONT R NO_CAPS +1.75 .HEADING_STYLE 3 FONT R NO_CAPS +0 . .\" Lists .ALIAS LIST_RESET "RESET_LIST" .ALIAS DIGIT_LIST "PAD_LIST_DIGITS LEFT" . .rn ITEM LIST_ITEM .de ITEM . ALD .25v . LIST_ITEM .. .START . . .PP .SP 7 .PP .HEADING 1 "Email Security" .HEADING 2 "DJ Chase" . .NEWSLIDE .HEADING 1 "It doesn't exist." .SP 4 .LIST BULLET .ITEM Created in early 1960s .ITEM Networked version of system service .LIST BULLET .ITEM Designed throughout 1970s & early 1980s .LIST UP .ITEM All attempts to fix it are tacked on .ITEM CIA Triad & more .LIST OFF . .\" #confidentiality .NEWSLIDE .HEADING 1 "Confidentiality problem" .PS define ciaTriad { C: box thick $1 wid 1.25 ht 1.25 "Confidentiality"; move 0.25 I: box thick $2 wid 1.25 ht 1.25 "Integrity" move down 0.25 from C.sw; move 0.625; right A: box thick $3 wid 1.25 ht 1.25 "Availability"; move 0.25 M: box thick $4wid 1.25 ht 1.25"More" } ciaTriad(1.33,-1,-1,-1) .PE . .NEWSLIDE .HEADING 2 "Encryption" .SP 3 .LIST BULLET .ITEM Plain-text from end to end .LIST BULLET .ITEM No client–server TLS by default .ITEM No server–server TLS by default .ITEM Messages themselves stored unencrypted .LIST UP .ITEM Store and forward .LIST OFF . .NEWSLIDE .HEADING 3 "Server-side solutions" .SP 2 .LIST BULLET .ITEM Require client–server TLS .ITEM Require server—server TLS .LIST BULLET .ITEM Prevents users from sending to some domains .LIST UP .ITEM Communicate directly with receiving server .ITEM Require encrypted messages .LIST BULLET .ITEM Only works with handful of servers .LIST UP .ITEM Password-based asymmetric encryption at rest .ITEM In corporate environment, require employees to use webmail or IMAP .LIST OFF . .NEWSLIDE .HEADING 3 "Client-side solutions" .SP 2 .LIST BULLET .ITEM Use TLS if available .ITEM Encrypt messages with PGP/GPG (Pretty Good Privacy / GNU Privacy Guard) .LIST BULLET .ITEM Must have each others public keys .ITEM Can't use webmail .LIST UP .ITEM Encrypt messages with S/MIME (Secure MIME) .LIST BULLET .ITEM TLS-based — hard/expensive to get certificate .ITEM Nobody does this .LIST UP .ITEM In personal environment, use POP3 instead of webmail IMAP .LIST OFF . .\" #integrity .NEWSLIDE .HEADING 1 "Integrity problems" .PS ciaTriad(-1,1.33,-1,-1) .PE . .NEWSLIDE .HEADING 2 "Sender integrity" .SP 3 .LIST BULLET .ITEM No verification by default .ITEM From: .ITEM Return-To: .ITEM Sender: (anti-spam) .LIST OFF . .NEWSLIDE .HEADING 3 "Server-side solutions" .SP 2 .LIST BULLET .ITEM SPF (Sender Policy Framework) .LIST BULLET .ITEM DNS-based .ITEM Restricts sender IP addresses .LIST UP .ITEM DKIM (DomainKeys Identified Mail) .LIST BULLET .ITEM Header-based .ITEM Server certifies from address .LIST UP .ITEM DMARC (Domain-based Message Authentication, Reporting, and Conformance) .LIST BULLET .ITEM DNS-based .ITEM Tells other servers how to handle SPF/DKIM errors .QUIT_LISTS .SP .PP Not part of basic standard — negligent servers will happily deliver bad mail . .NEWSLIDE .HEADING 3 "Client-side solutions" .SP 3 .LIST BULLET .ITEM PGP/GPG (Pretty Good Privacy / GNU Privacy Guard) .LIST BULLET .ITEM Client-side .ITEM Key distribution .LIST UP .ITEM S/MIME (Secure MIME) .LIST BULLET .ITEM Client-side .ITEM TLS certificates .LIST UP .LIST OFF .SP .PP Clients might be negligent, outdated, or may not care. . .NEWSLIDE .HEADING 2 "Message integrity" .SP 3 .LIST BULLET .ITEM Servers need to be able to modify headers .LIST BULLET .ITEM Includes From:, Subject:, and other user-facing headers .ITEM Headers are stored in-band (same file), so servers can also modify message body .LIST UP .ITEM Store and forward .LIST BULLET .ITEM Trust in third parties .LIST UP .ITEM No end-to-end content verification .LIST OFF . .NEWSLIDE .HEADING 3 "Server-side solutions" .SP 4 .LIST BULLET .ITEM Communicate directly with receiving server .ITEM DKIM (DomainKeys Identified Mail) .LIST BULLET .ITEM Can provide message-body checksum .ITEM Breaks mailing lists .QUIT_LISTS . .NEWSLIDE .HEADING 3 "Client-side solutions" .SP 6 .PP None — clients inherently trust servers . .NEWSLIDE .HEADING 1 "Availability problems" .PS ciaTriad(-1,-1,1.33,-1) .PE . .\" #availability .NEWSLIDE .HEADING 1 "Availability problems" .SP 4 .LIST BULLET .ITEM Sending server may send to an impostor if not using TLS .ITEM E2EE emails become unavailable if recipient looses their private key .ITEM Emails encrypted at rest become unavailable if recipient forgets their password .ITEM If using POP3, the only copy of your emails are on your computer .LIST OFF . .NEWSLIDE .PP .SP 2 .HEADING 2 "Server-side solutions" .SP .LIST BULLET .ITEM Use TLS .LIST OFF .SP 2 .HEADING 2 "Client-side solutions" .SP .LIST BULLET .ITEM Backup your private key .ITEM Backup your password .ITEM Backup your emails .LIST OFF . .\" #more .NEWSLIDE .HEADING 1 "Other problems" .PS ciaTriad(-1,-1,-1,1.33) .PE . .NEWSLIDE .HEADING 2 "Attachments" .SP 3 .LIST BULLET .ITEM Malware .ITEM Double file extensions .ITEM File icons .ITEM Poorly-designed document formats .ITEM … .ITEM mailto: ?attach .LIST OFF . .NEWSLIDE .HEADING 3 "Server-side solutions" .SP 5 .LIST BULLET .ITEM Prevent attachments .ITEM Virus scanner .LIST OFF . .NEWSLIDE .HEADING 3 "Client-side solutions" .SP 5 .LIST BULLET .ITEM Virus scanner .ITEM Warn on suspicious files .ITEM Restrict mailto: links to To:, Subject:, and body .ITEM Common sense .LIST OFF . .NEWSLIDE .HEADING 2 "HTML mail" .SP 4 .LIST BULLET .ITEM Hyperlinks .ITEM Tracking pixels .ITEM Web browser .LIST OFF . .NEWSLIDE .PP .SP 2 .HEADING 3 "Server-side solutions" .SP .LIST BULLET .ITEM Reject HTML email .LIST OFF .SP 2 .HEADING 3 "Client-side solutions" .SP .LIST BULLET .ITEM Pop-up with actual link address .ITEM Disable images .ITEM Show plain-text alternative .LIST OFF . .NEWSLIDE .HEADING 2 "Content" .SP 5 .LIST BULLET .ITEM Phishing .ITEM Scams .ITEM Images instead of text .LIST OFF . .NEWSLIDE .HEADING 3 "Solutions" .SP 5 .LIST BULLET .ITEM Spam filtering .ITEM Common sense .LIST OFF . .NEWSLIDE .HEADING 1 "Email Security" .SP 7 .PP All security enhancements are add-ons, and you can't make all parties use them. . .NEWSLIDE .HEADING 1 "Sources" .SP 7 “History Of Email” In: \fIWikipedia\fR; Wikipedia, The Free Encyclopedia; 2022-06-30; .br .HYPHENATION OFF https://en.wikipedia.org\:/wiki\:/History_\:of_\:email\:?oldid\:=1101352677