Yesterday, I received a disturbing phone call. Someone very close to me, call him John, might lose his job, because a slanderous, offensive email was sent with forged headers, claiming to be John. John certainly did not send the mail, and those close to John know that the tone of the mail does not seem like something John would send. The email made its way to John’s boss, human resources, IT, and other departments. The director of IT said that whoever sent the email, will get fired. Hopefully, they understand the principle of innocent until proven guilty, and all that John has to do, is cast reasonable doubt that he sent the mail. Examining the mail headers should deliver that doubt. I’ve told John that I would be willing to examine the headers, along with his IT department, to help in any way I can. Hopefully, this ends well.
I’ve never known anyone personally that this has happened to, until now. But, I’ve been cryptographically signing my email since 2004. Every single one. I have almost 10,000 emails in my Sent folder, all of which are signed. Further, I think I’ve been very clear to my friends and family, that it is their responsibility to verify the signature. Should they receive an email claiming to come from me, they should doubt the authenticity of the mail if it is not signed.
Of course, this does not prove anything about future email. I may wish to stop signing my mail at anytime. But, all I need to do is cast reasonable doubt that I sent the mail. A back history of over 7 years and 10,000 cryptographically signed emails should cast enough reasonable doubt as to the message is question, should I be placed in that situation. Along with anyone being able to forge email headers, it’s all over. Unless you can clearly, logically, and rationally prove that I sent the mail, there is enough doubt surrounding it, that I remain innocent.
I know others don’t see email the same way I do, and treat their email experience differently, such as John. And in all reality, if setting up OpenPGP or S/MIME wasn’t such a major PITA, it might be more widely used. But for the time being, all I can do is continue to lead by example. For me, the 15 minutes it took for initial setup, and having to provide a passphrase every time I wish to send an email, is peanuts compared to threats, such as this. Of course, if the organization John worked for required S/MIME on their email (I’ve worked for one such organization that made this requirement), then it would be clear that the mail was a fake.
UPDATE: Turns out that this organization has a utility to send messages to anyone in the organization. It’s not email, but some custom, proprietary application. Further, it requires no authentication. Anyone can send messages to anyone pretending to be whoever they wish.