Caller ID on the Internet?
We make trust decisions every day based on faces, past reputations, approaching cars, etc. As we’ve moved into new mediums we’ve had to build out new ways of making identifications and then make the appropriate trust decisions. Many of us every day get a call on our cell phone or at our house and instinctively look at the caller id to see who it is. Is it a friend, is it my boss, or is it someone I don’t know? With that one piece of information we have formed an opinion about whether we will answer the call, how we may greet the caller, and how much trust we’ll put into any conversation we have.
Today on the Internet there is no equivalent of Caller ID. There are email headers that claim to be everyone from Bill Gates to your own name offering fantastic deals or enticing you to a phishing site. There is no trusted way to establish the identity of that person that is sending you email, asking you to IM, or to visit their webpage. That ability to have a context to make a trust decision is lost without some definitive means to identify who it is that is contacting you.The question is how do we bring identity and reputation functionality to the Internet in a way that not only enables trusted interactions but preserves choice and free speech? How do we get the equivalent of “call screening” where we can choose to only answer calls from people who identify themselves? How can we still allow the equivalent of “number withheld” to preserve anonymous free speech? In an End to End Trust world, do we need to have both?
All Replies
Others have pointed out that digital signatures for email are one method of authenticating email. S/MIME is available, is open standard, and it works. If every legitimate mail from my bank was S/MIME signed by my bank I would realize that that phishing mail purporting to come from my bank wasn’t really from my bank. S/MIME is not without its issues, lack of support in webmail for one. But if every bank in the country started S/MIME signing every single email to their customers I suspect that webmail providers would have little choice but to support S/MIME.
Yes, I realize that the problem is much greater than just email. But email is the vector that a lot of bad actors use to accomplish a lot of internet crime so I think we should be using the tools that could make email authenticity a reality.
Should we start an internet campaign to end unsigned email?
- >> Today on the Internet there is no equivalent of Caller ID
Hi Doug - In some respects we do leave a caller ID #, as our IP address actually gets recorded often and it reduces some of our privacy. However, you make great points, as IP addresses are more "after the fact" than something we can establish trust with initially. I'm sharing this more as a privacy concern than security safeguard.
As you shared, there are often no trusted screening processes that tell you up front, when a brand new email message or website link is offered to us. Spam, content, and malware detection facilities help. Also, one should "think security before they click" and when in doubt avoid taking chances. Best practices are our friend, but even they are not always 100% - Sadly, there is a tough line to be walked between freedoms and security. We all strive for a perfect world where we can trust everyone we meet, but we know that not to be the case. I think there is some hope with IPv6, but there is also more complexity, which can also create more vectors of fraud and abuse.
Eric Irvin, MCP, MCSA, MCSE, MCITP:Enterprise Admin, CISSP http://www.diggingup.com - I agree with Mr. Waldron. IPv4 did help and when some groups got together with tools like Hackerwatch,wegot pretty effective untl more and more ISPs (and others) strived to make a dynamic routing system static (AKLES). Even before that AOL's down fall wsn't the lack of talent, but quite the opposite. Those proxy nests are still not torn down. Marketers, and content management (not for moral reasons but for profit), continue to mold and drive technology as some of the early groups have moved on to different names now that their war chests are too heavy to keep moving even in an international market.
No. I fear that even if you had a fool proof mechanism supported by a profit free international idiom, you would be wrecked endlessly by the people who would loose their control over such content. Remember? 2 of the traitorous eight died of heart attacks... Today a microbeam masked by cell phones, honed in by remob, can create a harmonic frequency that guarentees cancer. This all seems like nervous fumblings like the first time you discover why insurance companies do not invest in cures. The anser goes alot deeper than "it is profitable to supply treatments" even though most of the funding research they benefit from was tax paid. Iam not condeming the US. Just the secret services... unbound. Comming from a poor background, I never thought I would have Touchstone Delta, or Paragon, or a Crey. As part of the silent majority from the 70s, discusted with the desease wrot byfree love, saw the Hoover syndrom add-infintum by technology and helped push "Freedom of Information" after discovering I was just colateral from MK80. ;) The "Y" generation certainly has some significant challenges. I watched as robotics was exported due to unionsand saw the result. Encryption, although it may be late for the US, must! needs! a moral structure, but is useless to the US because any chips made here are not afordable, and any imported is certain to circumvent any wrestling over CONTROL. Dr. Bensteins work on L2 cache timming attacks, although precise and instructive would pale towards the multicore architectures and memory arrays. Might i propose that instead of paper, each governing institution design and patent their own encryption chip? We could embed it, RFID, and... bio-encode... hmmmm, sounds like a doomsday prediction I read somewhere... Rots of Ruck.
Pappkartoosh
Just another speck in a fibernachi sequence of stars about to be reordered by Andromeda
