Gmail Is About To Start Testing Verification-Like Logos For Email (engadget.com) 44
One of the biggest announcements made in Google's recent announcement of security enhancements for G Suite services is that authenticated logos are coming for emails from participating companies. Engadget reports: Last year Google announced it joined the Brand Indicators for Message Identification (BIMI) group, which is pushing an email spec that adds brand logos to authenticated emails. In practice it seems a lot like the verified stamps that have proliferated across social media, but when you see them it won't be a blue check, it will be the logo of the company that sent the email (Example). Emails are authenticated using the existing DMARC system and then there's certification that applies the associated logo, which hopefully gives people trust an email came from the company or person it's claiming to represent. Google said it will kick off a pilot of the technology within Gmail "in the coming weeks," so don't be surprised when you see those kinds of indicators popping up in the existing avatar box.
Re: (Score:1)
If someone falls for phishing just permanently ban them from the service. If they refuse to learn their lesson then they're better off being shown the door.
Re: (Score:3)
Re: (Score:2)
There have been years of efforts put into making people aware of these scams and people still fall for them, and the victims do nothing but make excuses. For example there was a married woman who threw huge piles of money at a blatantly obvious scam [bbc.co.uk] because "His voice was so lovely, so soft. He started with his stories and my heart just melted,"
There's no helping people like this. Just kick them straight off until they can prove they've educated themselves. This is not a technology problem, this is a PEBKAC
Re: (Score:3)
Might help reduce phishing because now if an email contains a logo but isn't from a verified sender the chance of it being phishing is very high. With a bit of image recognition a lot of phishing messages can be caught that way.
Re:Pretty much useless (Score:4, Interesting)
Also, we're talking spamming and phishing here; high volume, low rate of return, and VERY low cost (especially if using somebody else's resources via a Botnet). It doesn't need to be 100% accurate; it just needs to convince enough people to click the link to make the limited amount of time and effort worthwhile, so if it's lacking the green tick or whatever BIMI validation indicator Google et al use, that's going to mean it's about as effective a warning sign as the HTTPS/padlock link indicator is for a spoofed website, which is to say pretty much not at all.
Time will tell though, but while it will no doubt save a few people from being scammed, I'm still deeply skeptical as to whether it'll be enough to justify the time and effort of the various implementations. On the plus side, it will encourage companies to spend money on something they probably don't really need now that EV certs have pretty much flopped, so from the perspective of the registrars and CAs that will be providing BIMI support services it's money in the bank regardless. So, all good, right?
Re: (Score:2)
Yep - this is definitely going to require more than domain-level verification. This is going to amplify the false sense of security aspect. A fake logo makes it look even *more* convincing. This is part of why the green address bar went away in browsers - though I suspect that was drive 70% by aesthetics.
Re: (Score:3)
It's unfortunately true that spammers and scammers have already found way to circumvent the anti-spam measures. Meanwhile it's almost impossible now to set up a personal email server due to all constraints that exists to restrict spam.
The end result is effectively that email as it used to be is dying and all we soon have left is megacorporations offering email services for a fee.
Email dying (Score:2)
Don't worry too much about email servers, email is an accident of history and will die. Soon everything will be broken up into incompatible siloed messaging servers. With Teams, Slack bringing business to IM. Kids do not know what E-Mail is.
Digital signature (Score:1)
Re: (Score:3)
Because not many people know how to use them or even know they exist. I tried to research private/public keys and how to actually use them but all I found was the same repeated article about some cunt using a magic digital key to encrypt a message that only unlocked with another magic key, but no info on HOW to actually encrypt with a key pair.
Re:Digital signature (Score:4, Informative)
This might be helpful to you in a general sense. Step 8 demonstrates the HOW.
http://www.pitt.edu/~poole/PGP... [pitt.edu]
Re: (Score:3)
Because not many people know how to use them or even know they exist. I tried to research private/public keys and how to actually use them but all I found was the same repeated article about some cunt using a magic digital key to encrypt a message that only unlocked with another magic key, but no info on HOW to actually encrypt with a key pair.
I work in encryption. Lots of different types. Like anything else, it can be dumbed-down enough if application developers added security to their products, but for some reason none do - they sprinkle the security fairy-dust on the application after it has been fully baked and put in front of the user.
For email, the client has to check incoming messages for signatures, then check that the signatures are valid. If the sender signs the message with their private key, the client can use the x509 certs installe
Re: Digital signature (Score:2)
Try OpenKeychain for Android, which integrates with K9. Both available on F-Droid too.
Though frankly, a modern passport often includes a digital signature ready key for this exact purpose. It should be as easy as clicking "sign" and holding your passport up to the NFC/RFID reader. Which I would issue for free with every passport, if I was a government, but nowadays would probably be done via an NFC-enabled smartphone with a secure enclave in the SoC, which banks already use to support paying with your phone
This displays the digital signature result (Score:2)
Signing something results in a very large number.
So the recipient has an email with a big number attached. Now what? How does the recipient know whether that message is really from PayPal?
A check mark can indicate that the message is signed - by someone. It can't tell you who signed the message.
Maybe you can display the domain name that signed it, Paypal.com? It's impossible to visually distinguish whether PayPal.com is the legitimate domain or if those "a" letters are Cyrillic, making it a completely
Brands and logos in my email lists. 'Thanks'. (Score:1)
"Existing" avatar box (Score:1)
X-Face/Face how about SVG - encode in header (Score:3)
how about encoding this into the header i.e.
http://quimby.gnus.org/circus/face/ [gnus.org]
and allow a SVG favicon as well
Get lost. How about, "No"? (Score:3)
BIMI's real goal is to track opens. No thank you, I block remote-load images because I value my privacy.
Gmail/Gsuite had better make this optional, or I'll be looking elsewhere for my email client needs.
Re: (Score:2)
How does it track opens when it is being loaded while the email is in your inbox?
It could track deliveries, but not opens.
Re: (Score:2)
Re: (Score:2)
The entire point is to give the user an indication of the validity of the sender *before* opening.
If they're not loading the images before the user opens, it's not meeting the objective.
I don't disagree that it may be useful for tracking deliveries, and therefore have some negative privacy implications, but it shouldn't behave any differently on opening than any other images are handled by your email client. If you have remote load images disabled already, they're still disabled.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The image would have to be per-domain, not per-email. Something tells me a unique domain per email would get shut down pretty quick. It would really limit the tracking. Especially if Gmail proxied the image loads.
Re: (Score:2)
Think of the possibilities! (Score:2)
So.... Now we can set up MTA rules to throw 5.5.x's at all the companies we don't like? Nice...
We need to set up a DSN for "I hate your company, die in a fire you spammy bastards..."
E-mail has stopped developing (Score:1)
Re: E-mail has stopped developing (Score:1)
Because they want closed gardens
Re: (Score:1)
Re: (Score:2)
It is strange when I think about it. E-mail has been the same for decades, while the Internet and relative technologies have developed considerably. I wonder why there are no backward-compatible successors, while there are so many instant messaging apps.
Two reasons come to mind... Consolidation followed by Oracle killing Sun... Once you could buy a commercial email server that could operate at the Telco scale in the mid to late 90's (i.e. Netscape, Sun's SIMS, which eventually merged... limped on in to Oracle era, and then had their R&D teams gutted...) with de-duplicated message storage, it became possible to set up truly massive centralized email server complexes like Gmail, Yahoo, etc... These companies then provided email for free, and set up mas
Bizrate (Score:3)
How did this work out for Bizrate and other verification seals? If I see those seals on a web site I know its trashy. The first time you have an issue and dive into those seals you find that they are simply paid endorsements and are meaningless in terms of quality and trustworthiness.
The real issue is out-going email from Gmail. And not even gmail accounts directly but those that use Gmail for corporate email service. I get spam through Gmail constantly - directly from Gmail accounts and from other domains using Gmail. I report it to Google at least twice a week for years, nothing has changed. I still can't trust anything from Gmail.
When your brand is already dogshit slapping a badge on it does not help.
It'll probably work for Google (Score:2)
Re: (Score:2)
The logo/badge that Gmail wants to implement isn't meant as a sign of quality, it's made as a sign of legitimacy.
Spam mail from a legitimate source is still spam, but at least you now know that it's legitimate spam and not some malware installing bullcrap masquerading as contents coming from a legitimate source.
Re: (Score:2)
So you agree that the new badges will be useless and meaningless. This seems like a non-feature.
Give me a break (Score:4, Interesting)
This is backwards (Score:2)
Am I the only one ... (Score:2)
... who feels like Google is doing everything they can, to turn the federated nature of E-Mail into a gated community perversion like what Whatsapp & co did to Jabber/XMPP.
Including allowing only web "clients".
Of course under the usual veil of "security".
As stupid as the "secure website" logos (Score:2)
Scammers will just stick a copy of the logo in their emails and their targets will never know the difference...