In a paper (sorry, PDF only) last month at FC05, Garfinkel and friends reported on an interesting survey conducted in two communities of merchants, one which received signed email from a supplier, and one which did not. This was an unusual chance to test two groups distinguished by usage of a crypto tool.
The biggest result to my mind is that users simply didn't as a body understand what the signed emails were all about. Even though these merchants were dealing with valuable transactions, the group that was receiving signed email only did a little better than the control group in knowing it (33% as opposed to 20%). This is a confusion that I'd expect, I recently installed a good cert into my Thunderbird and I still cannot send out signed or encrypted email using S/MIME (I forget why).
It's a very valuable survey, and welcome addition to the work of Ping, Friedman, et al, and of course Simson Garfinkel's thesis. I've copied the Conclusion below as anyone involved with email or user security should be aware of how real systems meet real users.
But there is one area where I take exception at. Garfinkel el al believe that commercial entities "should immediately adopt the practice of digitally-signing their mail to customers with S/MIME signatures using a certificate signed by a widely-published CA such as VeriSign."
Strongly Disagree! As there is nothing in the paper that indicates the meaning of a digital signature, this is a bad recommendation. Are they asking merchants to take on unlimited liability? Is this a simply a protection against forged emails? Or a checksum against network corruption? Without some thought as to what it is the merchant is promising, I'd recommend that signing be left off.
(Encryption, on the other hand, is fine. We can never have enough encryption. But this survey didn't cover that.)
Views, Reactions and Impact of Digitally-Signed Mail in e-Commerce
Abstract.We surveyed 470 Amazon.com merchants regarding their experience, knowledge and perceptions of digitally-signed email. Some of these merchants (93) had been receiving digitally-signed VAT invoices from Amazon for more than a year. Respondents attitudes were measured as to the role of signed and/or sealed mail in e-commerce. Among our findings: 25.2% of merchants thought that receipts sent by online merchants should be digitally-signed, 13.2% thought they should be sealed with encryption, and 33.6% thought that they should be both signed and sealed. Statistically-significant differences between merchants who had received the signed mail and those who had not are noted. We conclude that Internet-based merchants should send digitally-signed email as a best practice, even if they think that their customers will not understand the signatures, on the grounds that today s email systems handle such signatures automatically and the passive exposure to signatures appears to increase acceptance and trust.
4 Conclusions and Policy Implications
We surveyed hundreds of people actively involved in the business of e-commerce as to their views on and experience with digitally-signed email. Although they had not received prior notification of the fact, some of these individuals had been receiving digitally-signed email for more than a year. To the best of our knowledge this is the first survey of its kind
It is widely believed that people will not use cryptographic techniques to protect email unless it is extraordinarily easy to use. We showed that even relatively unsophisticated computer users who do not send digitally-signed mail nevertheless believe that it should be used to protect the email that they themselves are sending (and to a lesser extent, receiving as well).
We believe that digitally-signed mail could provide some measure of defense against phishing attacks. Because attackers may try to obtain certificates for typo or copycat names, we suggest that email clients should indicate the difference between a certificate that had been received many times and one that is being received for the first time much in the way that programs implementing the popular SSH protocol [15] alert users when a host key has changed.
We found that the majority (58.5%) of respondents did not know whether or not the program that they used to read their mail handled encryption, even though the vast majority (81.1%) use such mail clients. Given this case, companies that survey their customers as to whether or not the customers have encryption-capable mail readers are likely to yield erroneous results.
We learned that digitally-signed mail tends to increase the recipient s trust in the email infrastructure.We learned that despite more than a decade of confusion over multiple standards for secure email, there are now few if any usability barriers to receiving mail that s digitally-signed with S/MIME signatures using established CAs.
Finally, we found that people with no obvious interest in selling or otherwise promoting cryptographic technology believe that many email messages sent today without protection should be either digitally-signed, sealed with encryption, or both.
The complete survey text with simple tabulations of every question and all respondent comments for which permission was given to quote is at http://www.simson.net/smime-survey.html.
4.1 Recommendations
We believe that financial organizations, retailers, and other entities doing business on the Internet should immediately adopt the practice of digitally-signing their mail to customers with S/MIME signatures using a certificate signed by a widely-published CA such as VeriSign. Software for processing such messages is widely deployed. As one of our respondents who identified himself as a very sophisticated computer user wrote:
I use PGP, but in the several years since I have installed it I have never used it for encrypting email, or sending signed email. I have received and verified signed email from my ISP. I have never received signed email from any other source (including banks, paypal, etc, which are the organisations I would have thought would have gained most from its use).
Given that support for S/MIME signatures is now widely deployed, we also believe that existing mail clients and webmail systems that do not recognize S/MIME-signed mail should be modified to do so. Our research shows that there is significant value for users in being able to verify signatures on signed email, even without the ability to respond to these messages with mail that is signed or sealed.
We also believe that existing systems should be more lenient with mail that is digitally-signed but which fails some sort of security check. For example, Microsoft Outlook and Outlook Express give a warning if a message is signed with a certificate that has expired, or if a certificate is signed by a CA that is not trusted. We believe that such warnings only confuse most users; more useful would be a warning that indicates when there is a change in the distinguished name of a correspondent or even when the sender s signing key changes indicating a possible phishing attack.
Posted by iang at March 25, 2005 07:16 PM | TrackBackIf there where a real use of signatures meaning that the application interfaced with it based on user defined scenarios then the liability for improper usage could be placed squarely in the user court.
Posted by: Jimbo at March 25, 2005 09:28 PMS/MIME should not be used for commercial applications, as it first encrypts and then signs, meaning that no signed cleartext can be used for subsequent dispute resolution. There's no way to prove the signature to a third party, if the traffic is encrypted (which it should be).
For email security OpenPGP is the way to go. It is no coincidence, that the user-base of OpenPGP is at least an order of magnitude larger than that of S/MIME. And this despite the fact that S/MIME support is built into every major email client out of the box, while OpenPGP support has to be installed as an add-on for most, where it is available at all. Yet, people seem to be willing to go with the less convenient installation, because of the mutitude of advantages that OpenPGP offers.
Commercial CAs are single points of failure, sometimes plagued with severe conflicts of interests and incentive incompatibility problems. Even if some bank uses S/MIME, it should operate its own CA. There's no justification for extending trust to some other CA: it invites additional risks, adds costs, while having very few if any benefits.
But I maintain that OpenPGP is vastly superior to S/MIME both in the flexibility of its trust model and in its use of cryptographic primitives.
Posted by: Daniel A. Nagy at March 26, 2005 05:53 AMYou have got to be kidding - decryption loses the signature? So if you decrypt on receipt, then re-encrypt locally as a good app should, you have no way of keeping the sig!
What were these guys smoking...
OK, so I agree with my earlier recommendation of never signing unless you have some notion of what that means. Simply don't sign.
But wait ... I am told that to use S/MIME one has to sign in order to distribute the key! OK, so limping along here. Send blank signed messages to distribute keys, but turn signing off for other messages. That still works.
Posted by: Iang at March 26, 2005 07:47 AMDaniel, can you have a look at this link:
http://www.faqs.org/rfcs/rfc2633.html
3.5 Signing and Encrypting
And tell me whether you still agree that "S/MIME encrypts then signs?" It seems to be at the choice of the implementation, as that section says you can nest arbitrarily.
iang
Posted by: RFC2633 at March 26, 2005 01:30 PMYes, my fault. I confused S/MIME with PEM, both of which are based on the same X.509-based trust model and certificate format, buth are otherwise quite different.
S/MIME allows for both orders of signature and encryption. PEM first encrypts then signs.
S/MIME uses PEM certificates.
HTTPS also loses the signature after decryption, and I guess there's a good reason why the banking industry supported this solution: you cannot show your banking statement as a proof, but you can still believe it yourself. If you want to present a proof of your balance to a third party: pay the bank.
Posted by: Daniel A. Nagy at March 28, 2005 01:15 PMI have received many S/MIME clearsigned messages over the years. I always read my mail in text mode so it is easy to recognize them. The large signature attachments (which include the signer's certificate) are distinctive, as are the types of the MIME body parts.
FYI, a clearsigned message is one where the text is still readable even to someone who doesn't have compliant signature software. It is the preferred mode for messages that are signed but not encrypted.
I've never received an S/MIME encrypted+signed message, of course, since I have no S/MIME decryption key. I don't know whether common mailers like Outlook or OE would auto-switch to encrypt+sign if they happened to find a cert matching the recipient of the message being prepared. But I do know that S/MIME has the power to create signed-only messages.
Posted by: Cypherpunk at March 28, 2005 02:44 PM