Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Abandon e-mail!
Kelly Martin, 2006-05-30

Kelly Martin takes a step back from e-mail's unstoppable phishing-virus-spam epidemic and imagines a world where secure e-mail could be the next big killer app.

Back in 1972, by some accounts, a new form of communication known as e-mail was born. It was a practical implementation of electronic messaging that was first seen on local timeshare computers in the 1960s. I can only imagine how much fun and revolutionary it must have been to use e-mail in those early years, to have been at the bleeding edge of the curve.

Almost ten years later, in November 1981, Jonathan Postel published RFC 788 (later deprecated by RFC 821, also by Postel, and RFC 822 by David Crocker), thereby inventing the foundations of the Simple Mail Transport Protocol (SMTP) - a proposal that would revolutionize e-mail again. Since that time, e-mail has become as important an invention to the world as the telegraph and the telephone, and it has long been synonymous with the Internet itself.

Twenty five years later, we still use essentially the same protocol. And e-mail is a terrible mess. It's dangerous, insecure, unreliable, mostly unwanted, and out-of-control. It's the starting point for a myriad of criminal activity, banking scams, virus outbreaks, identity theft, extortion, stock promotion scams, and of course, the giant iceberg of spam.

The problem is, e-mail is now integral to the lives of perhaps a billion people, businesses, and critical applications around the world. It's a victim of its own success. It's a giant ship on a dangerous collision course. All sorts of brilliant, talented people today put far more work into fixing SMTP in various ways (with anti-virus, anti-phishing technologies, anti-spam, anti-spoofing cumbersome encryption technologies, and much more) than could have ever been foreseen in 1981. But it's all for naught.

A sinking ship

All the work spent fixing e-mail is like rearranging the deck chairs on the Titanic. E-mail is a sinking ship and it should be abandoned just as other insecure technologies like telnet, ftp and the beloved Usenet nntp were "abandoned" years ago. All these old technologies actually live on and in some cases thrive (and in the case of the Usenet, still consume enormous amounts of bandwidth and offer very useful information) but have been mostly superceded by newer protocols. E-mail should be abandoned in much the same way. The problem is, more people depend on e-mail than ever before.

The main reason we will never win the e-mail war against the spammers-phishers-scammers-botnets and their assorted ilk is we're bound by legal standards that limit the ways we can combat e-mail abuse – unlike in the early days of the Internet. The perpetrators are not bound by the law. Therefore the good guys can't win. The only solution is to change the rules. We need to abandon our e-mail infrastructure and concede that the spamming-phishing-virus-writing scumbags have won; moving on is only inevitable.

The problem is, we lack "something better" to abandon e-mail for.

Starting from scratch

E-mail in its current form will never, ever, ever be spam-free. It will never be virus-phishing-scam free. It will cost companies and individuals billions of dollars in theft, criminal activity, and the reality of spam will grow from the 50-70% it is today to 90% of all traffic. E-mail will continue to harm millions of people through banking scams, identity theft, viruses, and more. E-mail will never be secure, because it was never designed to be secure.

The only solution is to start from scratch. Develop a new e-mail system and make it secure. Use existing, proven technologies and a few new and novel ideas – starting with the latest encoding mechanisms, a reliable hashing algorithm, fast compression, strong encryption and signatures. Build an electronic identity. Encode, hash, encrypt, compress, sign, and provide a novel way to share keys when needed, for example. I don't know how this will all turn out, but perhaps yEnc, MD5, AES, H.264, and GPG are some potential technologies that could be used together. A new transport protocol would need to be flexible enough that any of these technologies could be replaced, transparently to the user, as better and stronger options become available. It would need to be seamless for the client – no more messy GPG or other stop-gap solutions that few people actually use. Secure e-mail should be a mandatory "secure bundle" of e-mail that is safe for sending a credit card number to a business or someone I know.

I don't want to think about any of this when I send secure e-mail, however. I just want to type my e-mail and press Send. If I need my secure identity plugged in, say, from a USB key, fine.

The basics of communication

One of the great joys of computers is that newer, better technologies supercede the older insecure ones, yet both the old and new generations still live happily together. There are so many examples of this, I won't even bother listing them here. A completely new, secure e-mail system would be the Internet's next big critical application. If it required IPv6 addressing, maybe secure e-mail would also kill those ridiculous "tiered Internet" ideas with one stone. But I'm just thinking aloud.

Story continued on Page 2 



Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
Abandon e-mail! 2006-05-31
Anonymous (6 replies)
Re: Abandon e-mail! 2006-05-31
Anonymous
Re: Abandon e-mail! 2006-05-31
Stephan Sokolow
Re: Abandon e-mail! 2006-05-31
Paul
Re: Abandon e-mail! 2006-05-31
Anonymous
Re: Abandon e-mail! 2006-05-31
J
Re: Abandon e-mail! 2006-07-27
Anonymous
Rubbish! What are the probIem ISSUES ???? 2006-05-31
Dom De Vitto (1 replies)
Abandon e-mail! 2006-05-31
Kevin Black (1 replies)
Re: Abandon e-mail! 2006-06-01
PDC (1 replies)
Re: Re: Abandon e-mail! 2006-07-12
Anon
Babies and bathwater 2006-05-31
Anonymous
Abandon e-mail! 2006-06-01
Anonymous
Abandon e-mail! 2006-06-01
Anonymous (1 replies)
Re: Abandon e-mail! 2006-06-04
Anonymous
Abandon e-mail! 2006-06-01
Erik N
Abandon snail-mail! 2006-06-01
Phlash (1 replies)
Re: Abandon snail-mail! 2006-06-01
Anonymous (1 replies)
Abandon e-mail! 2006-06-01
Mercury/|Hermes
Um, I Have Your Solution 2006-06-01
Reynolds Kosloskey (3 replies)
Re: Um, I Have Your Solution 2006-06-01
kwesi (1 replies)
Web Based Email 2006-06-01
Reynolds Kosloskey
Re: Um, I Have Your Solution 2006-06-02
Mr. Mail
Abandon e-mail! 2006-06-01
Paul Kosinski (1 replies)
Re: Abandon e-mail! 2006-06-01
Paul Kosinski
Abandon e-mail! 2006-06-01
JeHicks
Abandon e-mail! 2006-06-02
Brush-Head
A bottin 2006-06-02
lucmars
Top 500 Supercomputer 2006-06-02
Anonymous
Abandon mail, too? 2006-06-02
Anonymous
Abandon e-mail! 2006-06-02
Anonymous (1 replies)
Re: Abandon e-mail! 2007-07-25
Anonymous
You're crazy and uninformed! 2006-06-02
Anonymous
Abandon e-mail! 2006-06-02
Anonymous
Abandon e-mail! 2006-06-05
ITDefpat
This is silly. 2006-06-06
Anonymous
The final solution 2006-06-12
Anonymous
Abandon e-mail! 2006-07-01
Richard


 

Privacy Statement
Copyright 2010, SecurityFocus