Re: Google threatens to break Gmail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Christian Huitema wrote:
> Brian E Carpenter wrote:
>> 
>> On 23/10/2015 02:57, Russ Housley wrote:
>>> ...
>>> It seems to me that DMARC re-writing is a more important feature for this
>> community.  I think we should drop support for the password messages and
>> move to a newer version.  I'd like the tools team to check this out, and then
>> if the newer version will not introduce other surprises, move to the newer
>> version.
>> 
>> The primitive rewriting of the From is a bug in itself, because it destroys
>> important information (who sent the message, even if they are a non-
>> subscriber).
> 
> +1.
> 
> Rewriting the "From:" header trains users to only look at the user
> friendly name, and to overlook the rewritten address.
> The potential for phishing is interesting.

I do not see any increased potential for phishing
Rather the opposite -- DMARC could be abused to give users a false
sense of security and fall to the flawed assumption that it would
authenticate the EMail author (which it doesn't).


Interestingly, there essentially is a legal requirement for rewriting
the From: header field for addresses that publish DMARC records when
delivering EMail to places where DMARC processing isn't outright illegal
(DMARC processing is clearly illegal in the EU), because handing an
EMail to an MTA that might be processing DMARC will be illegal in the EU
just as processing DMARC oneself.  So one of the alternatives to
unconditionally bouncing a DMARC-impaired EMail, will be rewriting the From:.


-Martin




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]