Re: E-mail Address in WEB Browser

• To: Jonathon Tidswell <t-jont@microsoft.com>
• Subject: Re: E-mail Address in WEB Browser
• From: Joshua Heling <heling@virtu.sar.usf.edu>
• Date: Thu, 14 Dec 1995 12:55:12 -0500 (EST)
• cc: patw@aqmd.gov, www-security@ns2.rutgers.edu
• In-Reply-To: <199512140516.VAA26526@imail2.microsoft.com>

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 14 Dec 1995, Jonathon Tidswell wrote:

> Message-ID: syd-02-msg951214061334MTP[01.51.00]000001a0-4001
> ----------
> | From:  <patw@aqmd.gov>
> [..snip..]
> | For example, I can put somebody-else E-mail address (on the mail server I
> | am using) on my Netscape Web browser, and visit some web site and sent
> | "mailto" messages under that assume name.  The mail would be sent to the
> | "mailto" address as the person I have put in the E-Mail options
> | of the Netscape browser.
> 
> The solution to this problem is also very similar to the one used in 
> snail mail,
> perhaps its something to to with *mail* systems.
> The idea is that you include some identifying (and hard to forge) 
> information in the document.
> This could be a wax seal, a hand written signature, a piece of code 
> based on a shared secret, references to previous shared secret (non 
> reusable :-).
> 
> In the electronic world you might want an electronic signature, however 
> you cant force me to sign my mail, the best you can do is reject/ignore 
> unsigned email.
> 
All of those things are well and good for authenticating someone you know 
personally, but the fact remains that I could, in the space of 5 minutes, 
post to this list with your name, and probably no one would know the 
difference.

I must admit I'm surprised that netscape didn't at least do something 
like add a headerfield (X-Originated-From, for example), in cases where 
the user input name and return mail address indicated a different domain 
than they were really in.

However, I think we're looking over perhaps the easiest was to check 
validity - the Recieved: headers on the mail.  If I send mail that claims 
to be from martin@martian.org, and you examined the headers, you would 
see that the first machine it traveled through was virtu.sar.usf.edu.  
You would then see it go through a bunch of others, but almost certainly 
*neve* any machine in the martian.org domain.  This makes it pretty much 
a dead giveaway.

- --Joshua

Addendum -  I say this in the context of web mailto: forms alone, 
really.  Of course for more serious or sensitive email, there's 
absolutely no replacement for strong digital signatures and/or encryption.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQBVAwUBMNBkvhDCgV8cEVIFAQExYAH/dBYa0d/jcOkMqCpQs3gBItQyssQWl1xE
VaVMnzWEq+paZMC8TojVes6hNReqBLZ8TS3zIohCtm0cMfMI2NcYHg==
=oEL4
-----END PGP SIGNATURE-----
 
#include <std_sig.h>
 

• Re: E-mail Address in WEB Browser
• From: "Robert S. Muhlestein" <robertm@teleport.com>

• Re: E-mail Address in WEB Browser
• From: Jonathon Tidswell <t-jont@microsoft.com>

• Previous: Re: E-mail Address in WEB Browser
• Next: Re: E-mail Address in WEB Browser
• Index(es):
  • Index
  • Thread