The Washington Times On Technology Column: July 21, 2005
Jul. 21–BETTER SECURITY DESERVES PRIORITY: Spam and phishing: The first is a paralyzing waste of your time, and the second is a way of making your bank account disappear. By now it is clear that no easy solution exists. Something systematic and systemwide needs to be done.
Some folks are trying. Yahoo proposes an approach, which it calls DomainKeys, that would do wonders to eliminate phishing and vastly reduce spam. Thought and cooperation across the Internet would be needed to make it work, but something has to be done.
We all know what spam is. In "phishing," you get an e-mail that appears to come from, say, your bank. It asks you on some contrived pretext to enter your password. A few people always will. They lose their savings.
With both spam and phishing, the evil-doer relies on falsifying, or "spoofing," the sending address: the "from" line. Obviously, if you got a letter purporting to be from SunTrust but the "from" line said WickedHacker@aol.com, you wouldn’t bite, and somebody unfriendly from AOL would show up at WickedHacker’s house with a warrant.
Unfortunately, spoofing is easy. The Internet was set up for honest scientists to use, so security wasn’t a priority. The security has to be retrofitted.
How does DomainKeys work? It isn’t easy to explain in a short column, but here’s a shot at it: There is something called public-key cryptography, widely used on the Internet. To use it to send me a coded message, the sender — SunTrust, for example — uses a secret number, called a private key, to encrypt the "from" line (I’m simplifying here). SunTrust has another number, called a public key, which I can use to decrypt the "from" line. The math is tricky, but if I have the bank’s public key I can decrypt any message it sends using its private key.
How do I get the SunTrust public key? There are things on the Internet called DNS servers. They contain all "domain names" on the Internet. They are, for example, washingtontimes.com, suntrust.com, redcross.org. Yahoo wants to put the public keys of domains on the DNS servers. Then, when I get e-mail claiming to come from SunTrust, my computer automatically goes to the DNS server, gets the SunTrust public key, and tries to decrypt the "from" line.
If it works, the e-mail is from SunTrust. If it doesn’t, the "from" line has been faked. I delete it.
DomainKeys would guarantee that your e-mail came from where it said it came from. This would be great for getting rid of spammers, too, because it would make their e-mail messages traceable.
This kind of security doesn’t come free. For one thing, it would increase traffic on the Internet and use more processor time on servers. For another, it would work only if nearly everybody agreed to adopt it. Yahoo, which as a huge online company has a profound interest in stopping spam, offers to license the necessary code free to those who want to use it.
Other systems have been proposed, and none is perfect. All would increase the burden on the Internet or be a nuisance. Yet something has got to be done. The choice is either to work together like grownups and get rid of spammers and other pests, or live with them forever.
Too much depends on the Internet to justify unending equivocation. Yet people aren’t going to use it if they think they are likely to lose their money. The constant stories of identity theft and pilferage of passwords via spyware will put a dent in online commerce.
We must do something. Now.
—–
To see more of The Washington Times, or to subscribe to the newspaper, go to http://www.washtimes.com.
Copyright (c) 2005, The Washington Times
Distributed by Knight Ridder/Tribune Business News.
For information on republishing this content, contact us at (800) 661-2511 (U.S.), (213) 237-4914 (worldwide), fax (213) 237-6515, or e-mail reprints@krtinfo.com.
YHOO, TWX, STI,