No Subject

• To: www-security@ns2.rutgers.edu
• From: c.flink@att.com
• Date: Fri, 15 Dec 95 11:22:46 EST
• Apparently-To: <www-security@ns2.rutgers.edu>

>From c.flink Fri Dec 15 11:20:39 0500 1995 remote from att.com
Received: from att.com by vodka.sse.att.com; Fri, 15 Dec 1995 11:26 EST
Received: by cwf-nb.sse.att.com with Microsoft Mail
	id <01BACADF.5E0C6BA0@cwf-nb.sse.att.com>; Fri, 15 Dec 1995 11:20:41 -0500
Message-ID: <01BACADF.5E0C6BA0@cwf-nb.sse.att.com>
>From: Chuck Flink <c.flink@att.com>
To: 'Joshua Heling' <heling@virtu.sar.usf.edu>, Jonathon Tidswell
	 <t-jont@microsoft.com>
Cc: "patw@aqmd.gov" <patw@aqmd.gov>, "www-security@ns2.rutgers.edu"
	 <www-security@ns2.rutgers.edu>
Subject: RE: E-mail Address in WEB Browser
Date: Fri, 15 Dec 1995 11:20:39 -0500
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Content-Length: 1675


Joshua Heling wrote:
>[snip]
>However, I think we're looking over perhaps the easiest was to check 
>validity - the Recieved: headers on the mail.  If I send mail that claims 
>to be from martin@martian.org, and you examined the headers, you would 
>see that the first machine it traveled through was virtu.sar.usf.edu.  
>You would then see it go through a bunch of others, but almost certainly 
>*neve* any machine in the martian.org domain.  This makes it pretty much 
>a dead giveaway.
>[snip]

Unfortunately, as more and more of us subscribe to dial up internet
access providers and use our laptops, searching for evidence in the
mail headers is no longer practical.  I send mail from my MSN, AOL,
and InfiNet accounts as well as from my corporate account.  All of
these mailboxes (except AOL) are integrated on my laptop under Windows
95 Exchange client.  Further, Exchange seems to work hard to "hide" all
the header info from me (to my annoyance when somthing goes wrong) making
it difficult to double check the From: line.

(Note: I have "work" and "home" profiles under Exchange.  I'm thinking
about segregating my inbox also and disciplining myself to only use the
"work" profile for work related matters.  ...but this "good practice" is
certainly not enough.  We need encryption and more trustworthy PCs.)

Clearly, the "right" answer is along the lines of digital signatures
automatically verified with Certificate Authorities by the email system.
This also requires laws governing CA's limits of accountability and
techniques to assure that the PC's email system signature checking SW is
not bypassed/disabled by viruses, etc. 

-Chuck Flink  c.flink@att.com

• Previous: Re: E-mail Address in WEB Browser
• Next: Re: E-mail Address in WEB Browser
• Index(es):
  • Index
  • Thread