Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
AlienRobot 4 days ago

Isn't it a bit crazy that phishing e-mails still exist? Like, couldn't this be solved by encrypting something in a header and using a public key in the DNS to unencrypt it?

mxuribe 4 days ago | parent | next [-]

I'm not a top-level expert in cybersecurity nor email infra....but the little that i know has taught me that i merely have to create a similar-looking domain name...

Let's say there's a company named Awesome...and i register the domain name of AwesomeSupport.com. I could be a total dark hat/evil hacker/neverdoweller....and this domain may not be infringing on any trademark, etc. And, then i can start using all the encryption you noted...which merely means that *my domain name* (the bad one) is "technically sound"...but of course, all that use of encryption fails to convey that i am not the legitimate Awesome company. So, how is the victim supposed to know which of the domains is legit or not? Especially considering that some departments of the real, legit Awesome company might register their own domain name to use for actual, real reasons - like the marketing department might register MyAwesome.com...for managing customer accounts, etc.

Is encryption necessary in digital life? Hellz yeah! Does it solve *all issues*? Hellz no! :-)

emporas 3 days ago | parent | next [-]

Email is not relevant to a good encryption scheme. You could sign an email, an image you post on Insta, a chat message, anything really.

Thing is, where are the user's credentials stored. In a goverment's computer probably. Greece is taking some steps towards this [1].

A Greek citizen to obtain a digital signature, he has to go to a bank, the bank verifies him, he pays a fee and then the government can accept his digital signature. My guess is that the dictatorship banks established with the Covid excuse might start to bear some fruits finally.

But, people on the internet might want something more advanced, more secure than some COBOL computers storing their identity. Then we save digital certificates and digital identities on the blockchain, making essentially the blockchain the heart of the internet.

When a person from a company sends a message to a client, he can sign the message with his own identity and the identity of the company. Problem solved. No one get's confused when the cryptographic signatures are not verified. The message is invalid and it is redirected to the spam folder.

[1] https://www.gov.gr/en/ipiresies/polites-kai-kathemerinoteta/...

gfody 4 days ago | parent | prev | next [-]

an OV cert "solves" this, but you'd still have to bother to check it

mxuribe 4 days ago | parent [-]

True! But, the possibility exists that enough % of victims do not indeed check the OV cert. Also, are we 100% sure that every single legit company that you and I do business with, has an OV cert for their websites?

AlienRobot 4 days ago | parent | prev [-]

This honestly doesn't feel like it should be the case.

There aren't that many websites. The e-mail provider could have a list of "popular" domains, and the user could have their own list of trusted domains.

There is all sorts of ways to warn the user about it, e.g. "you have never interacted with this domain before." Even simply showing other e-mails from the same domain would be enough to prevent phishing in some cases.

There are practical ways to solve this problem. They aren't perfect but they are very feasible.

mxuribe 4 days ago | parent [-]

My previous comments were merely in response to your original comments...so really only to point out that bare use of encryption by itself is not sufficient protection - that's all.

To your more recent points, i agree that there are other several protections in place...and depending on a number of facotrs, some foks have more at their disposal, and others might have less...but, still there are mechnisms in place to help - without a doubt. But yet with all these mechanisms in place, people still fall prey to phishing attacks...and sometimes those victims are not lay people, but actual technologists. So, i think the solution(s) to solve this are not so simple, and likely are not only tech-based. ;-)

procaryote 4 days ago | parent | prev | next [-]

I might be missing the joke, but there are several layers like SPF and DMARC available to only allow your whitelisted servers to send email on the behalf of your domain.

Wouldn't help in this case where someone bought a domain that looked a tiny bit like the authentic one for a very casual observer.

1970-01-01 4 days ago | parent | prev [-]

100% solved and has been for a very long time. The PGP/GPG trust chain goes CLUNK CLUNK CLUNK. Everyone shuts it off after a week or so of experimentation.