sunnuntai 6. maaliskuuta 2016

Secure and confidential


Just some days ago I received an email, with contents indicating that this is Confidential message for recipient only (yes, with capital C.)  And to read the actual message I would need to click through onto a web page (which in turn is secured by SSL, according to message.)

In this case this isn't a fraud or virus, but actual message from an official agency (sorry, I'll keep the exact details a bit vague.)  Of course I verify that the link is valid (or at least looks valid enough) before clicking it, and click it, expecting to need some kind of authentication - this being a Confidential and Secure message after all.

And there is nothing.

No verification at all. No authentication. Just the message, available to anyone who'd open that link in non-encrypted email. What, exactly, is the point?

Message wasn't even that important, just confirmation about minor detail. Worst of it was, though, it wasn't even meant to me! Subject was vague enough so it could plausibly be for me, but only after reading contents I noticed that the recipient address of email wasn't mine, but it only came to me as I use catch-all email address on our domain. Whoever sent it screwed up and dropped a letter from intended address. No harm done though this time, as this was company business and not something more private.

So overall, this Secure and Confidential message wasn't really either. Good job there, boys and girls, good job. (insert slow clap here)

Now, this kind of secure messaging system seems to be becoming more common around here as banks and insurance companies seem to be using this kind of system; you'll receive only a notification of pending message with email, no details included, but at least those require you to actually authenticate before they let you (or anyone) to read the messages. So far I haven't received anything really important through these systems, just some confirmations and notifications, but on positive side they at least are more secure than this charade.

But just to mention that security-wise this (banks' system, not this failure of one I described) is correct: having no separation of important and non-important messages is a good thing. When everything is encrypted, the bad guys (be they government or private) have to spend considerably more effort to get to the good stuff. Yes, I really think everything should be encrypted and decentralized all the time (latter pretty much invalidates all current messaging services as they are way too easily compromised by single National Security Letter or equivalent.) I just hope email security (PGP and variants) would be become easy enough for absolutely everyone to use it all the time, as there really aren't any real alternatives at the moment. Of course PGP doesn't hide the infamous metadata (just the contents) but that is another issue...


Ei kommentteja:

Lähetä kommentti