Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Google Communications Security The Internet

Gmail Is About To Start Testing Verification-Like Logos For Email (engadget.com) 44

One of the biggest announcements made in Google's recent announcement of security enhancements for G Suite services is that authenticated logos are coming for emails from participating companies. Engadget reports: Last year Google announced it joined the Brand Indicators for Message Identification (BIMI) group, which is pushing an email spec that adds brand logos to authenticated emails. In practice it seems a lot like the verified stamps that have proliferated across social media, but when you see them it won't be a blue check, it will be the logo of the company that sent the email (Example). Emails are authenticated using the existing DMARC system and then there's certification that applies the associated logo, which hopefully gives people trust an email came from the company or person it's claiming to represent. Google said it will kick off a pilot of the technology within Gmail "in the coming weeks," so don't be surprised when you see those kinds of indicators popping up in the existing avatar box.
This discussion has been archived. No new comments can be posted.

Gmail Is About To Start Testing Verification-Like Logos For Email

Comments Filter:
  • Been around for many years, why not use those and be really authenticated
    • Because not many people know how to use them or even know they exist. I tried to research private/public keys and how to actually use them but all I found was the same repeated article about some cunt using a magic digital key to encrypt a message that only unlocked with another magic key, but no info on HOW to actually encrypt with a key pair.

      • Re:Digital signature (Score:4, Informative)

        by backbyter ( 896397 ) on Wednesday July 22, 2020 @07:26AM (#60318249)

        This might be helpful to you in a general sense. Step 8 demonstrates the HOW.

        http://www.pitt.edu/~poole/PGP... [pitt.edu]

      • Because not many people know how to use them or even know they exist. I tried to research private/public keys and how to actually use them but all I found was the same repeated article about some cunt using a magic digital key to encrypt a message that only unlocked with another magic key, but no info on HOW to actually encrypt with a key pair.

        I work in encryption. Lots of different types. Like anything else, it can be dumbed-down enough if application developers added security to their products, but for some reason none do - they sprinkle the security fairy-dust on the application after it has been fully baked and put in front of the user.

        For email, the client has to check incoming messages for signatures, then check that the signatures are valid. If the sender signs the message with their private key, the client can use the x509 certs installe

      • Try OpenKeychain for Android, which integrates with K9. Both available on F-Droid too.

        Though frankly, a modern passport often includes a digital signature ready key for this exact purpose. It should be as easy as clicking "sign" and holding your passport up to the NFC/RFID reader. Which I would issue for free with every passport, if I was a government, but nowadays would probably be done via an NFC-enabled smartphone with a secure enclave in the SoC, which banks already use to support paying with your phone

    • Signing something results in a very large number.
      So the recipient has an email with a big number attached. Now what? How does the recipient know whether that message is really from PayPal?

      A check mark can indicate that the message is signed - by someone. It can't tell you who signed the message.

      Maybe you can display the domain name that signed it, Paypal.com? It's impossible to visually distinguish whether PayPal.com is the legitimate domain or if those "a" letters are Cyrillic, making it a completely

  • It's what you'd expect from an advertising company, but no thank you.
  • They won't be popping up in the avatar boxes that don't exist.
  • how about encoding this into the header i.e.

    http://quimby.gnus.org/circus/face/ [gnus.org]

    and allow a SVG favicon as well

  • by richi ( 74551 ) on Wednesday July 22, 2020 @08:01AM (#60318319) Homepage

    BIMI's real goal is to track opens. No thank you, I block remote-load images because I value my privacy.

    Gmail/Gsuite had better make this optional, or I'll be looking elsewhere for my email client needs.

    • How does it track opens when it is being loaded while the email is in your inbox?
      It could track deliveries, but not opens.

      • by richi ( 74551 )
        That depends on the implementationâ"specifically, whether the SVG URI is fetched/displayed on open or when the list is viewed. But either option has negative privacy implications.
        • The entire point is to give the user an indication of the validity of the sender *before* opening.
          If they're not loading the images before the user opens, it's not meeting the objective.
          I don't disagree that it may be useful for tracking deliveries, and therefore have some negative privacy implications, but it shouldn't behave any differently on opening than any other images are handled by your email client. If you have remote load images disabled already, they're still disabled.

          • by richi ( 74551 )
            Respectfully, you're not thinking like a marketer (or what idiots now call a "growth hacker" FFS.)
            • Comment removed based on user account deletion
              • by richi ( 74551 )
                Nooo young padawan. Absolutely they're going to use this to track individuals. Bob Rudis had an excellent discussion of this a few months ago:

                BIMI isn't solving any problem that well-armored DMARC configurations aren't already solving. It appears to be driven mainly by brand marketing wonks who just want to shove brand logos in front of you and have one more way to track you.
                ...
                Yep, tracking email perusals (even if it's just a list view) will be one of the benefits (to brands and marketing firms) and is m

    • The image would have to be per-domain, not per-email. Something tells me a unique domain per email would get shut down pretty quick. It would really limit the tracking. Especially if Gmail proxied the image loads.

      • by richi ( 74551 )
        There is obvious tension between Google-as-benevolent-cloud-provider and Google-as-evil-marketer. If the latter starts meddling in this, I'll be entirely unsurprised.
  • So.... Now we can set up MTA rules to throw 5.5.x's at all the companies we don't like? Nice...

    We need to set up a DSN for "I hate your company, die in a fire you spammy bastards..."

  • It is strange when I think about it. E-mail has been the same for decades, while the Internet and relative technologies have developed considerably. I wonder why there are no backward-compatible successors, while there are so many instant messaging apps.
    • Because they want closed gardens

      • They do, but it is not them who decides everything. I rather wonder why there is no open source initiative about it (that I know of). Yes, it is one of the dwindling number of decentralized things, to a degree, but it is far from perfect and imho in need of keeping up with other communication means. Plus I think at least small things, like simplification of headers or simpler mailserver setup, could not hurt in any way.
    • by Temkin ( 112574 )

      It is strange when I think about it. E-mail has been the same for decades, while the Internet and relative technologies have developed considerably. I wonder why there are no backward-compatible successors, while there are so many instant messaging apps.

      Two reasons come to mind... Consolidation followed by Oracle killing Sun... Once you could buy a commercial email server that could operate at the Telco scale in the mid to late 90's (i.e. Netscape, Sun's SIMS, which eventually merged... limped on in to Oracle era, and then had their R&D teams gutted...) with de-duplicated message storage, it became possible to set up truly massive centralized email server complexes like Gmail, Yahoo, etc... These companies then provided email for free, and set up mas

  • by awwshit ( 6214476 ) on Wednesday July 22, 2020 @09:14AM (#60318479)

    How did this work out for Bizrate and other verification seals? If I see those seals on a web site I know its trashy. The first time you have an issue and dive into those seals you find that they are simply paid endorsements and are meaningless in terms of quality and trustworthiness.

    The real issue is out-going email from Gmail. And not even gmail accounts directly but those that use Gmail for corporate email service. I get spam through Gmail constantly - directly from Gmail accounts and from other domains using Gmail. I report it to Google at least twice a week for years, nothing has changed. I still can't trust anything from Gmail.

    When your brand is already dogshit slapping a badge on it does not help.

    • because Google won't be making it a profit center, it'll be a cost center. e.g. it'll be free and used mostly to lock folks into gmail.
    • by Syberz ( 1170343 )

      The logo/badge that Gmail wants to implement isn't meant as a sign of quality, it's made as a sign of legitimacy.

      Spam mail from a legitimate source is still spam, but at least you now know that it's legitimate spam and not some malware installing bullcrap masquerading as contents coming from a legitimate source.

      • So you agree that the new badges will be useless and meaningless. This seems like a non-feature.

  • Give me a break (Score:4, Interesting)

    by c_g_hills ( 110430 ) <(chaz) (at) (chaz6.com)> on Wednesday July 22, 2020 @09:40AM (#60318563) Homepage Journal
    If companies want people to trust the emails they send, they should use the well-established protocols of X.509 and SMIME (see rfc 4262 [ietf.org]).
  • This will be just like the S/Mime icon that emails can have. If someone goes from having one to not having one, no one cares. What would be more useful is if the UI could highlight abnormal behavior. For example, if you regularly receive email from msmash@slashdot.org, and then one day receive an email from msmash@dotslash.org, the email client should have some bright bold warning that there's something suspicious about that last email. Verification icons don't mean a thing.
  • ... who feels like Google is doing everything they can, to turn the federated nature of E-Mail into a gated community perversion like what Whatsapp & co did to Jabber/XMPP.
    Including allowing only web "clients".

    Of course under the usual veil of "security".

  • Scammers will just stick a copy of the logo in their emails and their targets will never know the difference...

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...