Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Conversations with colleagues over the past few months had me thinking about this. If a company were to require that all email handled by its servers is digitally signed, could that help to reduce the spread of email-borne viruses? I’ve come up with the following considerations:

1. The biggest email-borne threat is in the form of attachments consisting of executable content. E.g. Click on this to see the dancing elephants! So stripping such attachments at the server is effective. However, determining what qualifies as executable content vs what qualifies as "safe-enough" is a moving target. For example, lots of people rely on compressed/ZIP attachments, and few organizations block them, but there have been critical flaws reported in that file format. Ditto for Office suite documents, especially with respect to embedded macros. There have even been recent security flaws in multimedia formats. In summary, configuring the mail server to respond to up-to-the-minute threats from myriad file formats, while still balancing productivity requirements, is hard.

2. Conditionally locking down the mail server to accept only signed email is problematic in two regards. First, if this is done in response to an elevated internet threat level, it’s likely to be too late, especially for a large organization with a large attack surface. I.e. the virus is already on the corporate network. Second, this implies that every internal email client, even those that just a moment ago weren’t required to send signed email, can dynamically start doing so on demand. This is likely to cause more problems than establishing a policy to be in effect at all times.

3. In addition, regardless of whether an S/MIME policy were enforced at all times or only conditionally, consideration must be made for external email. Must all of the company’s partners send signed email as well? Within enterprises that have deployed a PKI, best-practice is to rely on internal certificate chains for all line-of-business use. Otherwise, trust decisions are being delegated to an outside entity. But cross-certification doesn’t scale to the degree that most companies are likely to require in order to enforce 100% inbound and outbound signed email. Perhaps the usual digital identity vendors (e.g. Thawte; VeriSign) are well-known enough to be trusted for "everyday" email signing purposes (e.g. as opposed to certain high-value internal transactions) across a majority of partner relationships. But that raises the cost of provisioning each user, especially if an enterprise PKI exists.

4. A smart virus will respect the settings of the user’s mail client. If I’m writing a virus or worm that spreads via email, and I want it to be robust against enterprise defenses, then I’ll make it send signed email. On the defense side, best practice is for users to be prompted to confirm use of their private key. But the majority of users will click OK.

5. In comparing two short and otherwise identical emails sent from Outlook via Microsoft Exchange, one signed and one not, the signed one is three times the size! Comparing a larger-than-average email with an attachment, the signed version is still 50% bigger. Some percentage of the S/MIME overhead may be specific to Microsoft’s implementation, even though this stuff is theoretically standards-based, but there’s still a practical concern here. Storage itself is relatively cheap, but I don’t know how well existing servers scale on throughput.

Permalink |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment