Early last week I emailed a group of IETF Area Directors, for the Security and Applications areas, asking them to start the process of creating a new Working Group to address the issues around email security. (Thanks Adrian Farrel for the prodding!)
Today, the first result of the effort has been completed – the new endymail mailing list. An IETF venue to discuss how these issues can be addressed, hopefully laying the groundwork updated standards to improve email as we know it today, and eventually standardizing a replacement to SMTP and related protocols. Here’s the description that the group came up with for the new list:
There is significant interest in improving the
privacy-related properties of Internet mail. One focus of
current efforts is on the per-hop (connection-based)
protections provided by TLS. However a wide range of other
work has a focus on end-to-end protection, at the Internet
scale of billions of end users and perhaps millions of
operators. Such work typically involves new forms of mail
header or body protection, new public key management
(compared to S/MIME or PGP), and security mechanisms more
appropriate for mobile/web user-agents. Other
security-relevant approaches may be discussed if needed.
Various proposals and development efforts on this topic are
underway outside the IETF. This mailing list provides an
IETF venue for discussion of elements that might be commonly
needed by such efforts and to identify work that the IETF
could do to aid in achieving better end-to-end security
deployed for Internet email.
While the creation of another mailing list is far from groundbreaking, it’s the necessary first step in standardizing a solution to a decades old problem.
I encourage everyone interested in email security and privacy to join the list, and participate in the discussions that will lead to new standards. (Though please wait a bit for people to subscribe before starting discussions.)
A big thanks to Stephen Farrell, Joe Hildebrand, and Pete Resnick for their enthusiastic support for this effort.
It’s time for everyone from the industry, developers, and the government to declare war on ransomware and make it as hard as possible for them to ply their insidious trade. There have been false starts and baby steps, diligent fighters without enough resources, and vendors that have only given a nod to the issue. It’s time to use every tool reasonably available to stop this scourge.
For so many in the industry that have dedicated so much of their time and effort to this fight, this statement may seem to diminish their efforts, but that is not my intent.
If you’ve bothered to look at Twitter or any technology news source, you’ve seen that Apple made a major announcement: Expanded Protections for Children. This has been written about by countless outlets, so I’ll assume you’re familiar with the basics.
The announcement covered a few new features being added to the next version of Apple’s operating systems, namely:
Scanning of inbound and outbound messages for sexually explicit images. Scanning images being uploaded to iCloud for CSAM.
Brave is a web browser available for multiple platforms that aims to provide additional security and privacy features – plus a novel monetization scheme for publishers. I gave it 30 days to see if it was worth using. I switched on all platforms I use to give it a fair shot, I normally use Chrome which made the switch less painful, though the results were very much mixed. There are some things I honestly liked about it, some things I really disliked, and at least one thing that just made me mad.
Last week I gave a lighting talk at the DEFCON CryptoVillage on SMIMP. The talk went over the basics of why the project is needed, and how the specification works.
Here are the slides:
Here is a rough transcript of the talk:
Slide 1: I’m Adam Caudill, I’m a developer and security researcher; I work on a number of different things, but my recent work has been around privacy and secure messaging.
E-Mail, the venerable old standard for internet text messages, dating back to the early 1980s – and back to the early 1970s in other forms, has long been the “killer app” of the internet. While so many companies try to make the next great thing that’ll capture users around the world – none of these compare to the success of e-mail. It is likely the single most entrenched application-layer protocol used today.
