[Previous] [Next] [Index]
[Thread]
Re: E-mail Address in WEB Browser
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 14 Dec 1995, Jonathon Tidswell wrote:
> Message-ID: syd-02-msg951214061334MTP[01.51.00]000001a0-4001
> ----------
> | From: <patw@aqmd.gov>
> [..snip..]
> | For example, I can put somebody-else E-mail address (on the mail server I
> | am using) on my Netscape Web browser, and visit some web site and sent
> | "mailto" messages under that assume name. The mail would be sent to the
> | "mailto" address as the person I have put in the E-Mail options
> | of the Netscape browser.
>
> The solution to this problem is also very similar to the one used in
> snail mail,
> perhaps its something to to with *mail* systems.
> The idea is that you include some identifying (and hard to forge)
> information in the document.
> This could be a wax seal, a hand written signature, a piece of code
> based on a shared secret, references to previous shared secret (non
> reusable :-).
>
> In the electronic world you might want an electronic signature, however
> you cant force me to sign my mail, the best you can do is reject/ignore
> unsigned email.
>
All of those things are well and good for authenticating someone you know
personally, but the fact remains that I could, in the space of 5 minutes,
post to this list with your name, and probably no one would know the
difference.
I must admit I'm surprised that netscape didn't at least do something
like add a headerfield (X-Originated-From, for example), in cases where
the user input name and return mail address indicated a different domain
than they were really in.
However, I think we're looking over perhaps the easiest was to check
validity - the Recieved: headers on the mail. If I send mail that claims
to be from martin@martian.org, and you examined the headers, you would
see that the first machine it traveled through was virtu.sar.usf.edu.
You would then see it go through a bunch of others, but almost certainly
*neve* any machine in the martian.org domain. This makes it pretty much
a dead giveaway.
- --Joshua
Addendum - I say this in the context of web mailto: forms alone,
really. Of course for more serious or sensitive email, there's
absolutely no replacement for strong digital signatures and/or encryption.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQBVAwUBMNBkvhDCgV8cEVIFAQExYAH/dBYa0d/jcOkMqCpQs3gBItQyssQWl1xE
VaVMnzWEq+paZMC8TojVes6hNReqBLZ8TS3zIohCtm0cMfMI2NcYHg==
=oEL4
-----END PGP SIGNATURE-----
#include <std_sig.h>
Follow-Ups:
References: