BOSTON (05/23/2000) - Here's a message I hope I'll never have to send:
Hello. You're in my address book and therefore have probably been sent an e-mail "from me" containing a zipped attachment - which I supposedly received from [Sender], [Title] at [Prominent] [Company].
Do NOT open the zipped attachment - this is the worm virus in the news. Simply delete the e-mail.
I received this pathetic missive in the wake of the so-called Love Bug's predecessor, ExploreZip.worm. These worms, while clever, are more socially than technically adept. A victim is attacked by a message that seems to come from an acquaintance. In reality, of course, the poisoned message comes from a trusted person's machine, not that trusted person.
After the Love Bug, experts made the same tired recommendations we always see:
-- Disable macro languages.
-- Ban attachments in corporate environments.
-- Don't open any attachment you aren't sure about.
Will we ever learn? This isn't really about viruses and worms at all; it's about identity.
You probably do most of your business through e-mail, where you're represented by nothing more than an e-mail address. Everybody knows it's trivial to forge an e-mail address, and we now know it's also far too easy to hijack somebody's e-mail program. Sadly, a solution has been widely available - and almost universally ignored - for almost five years.
Since 1996, the e-mail clients bundled with both Microsoft Corp.'s and Netscape Communications Corp.'s browsers have enabled us to digitally sign our messages and thus prove our identities to recipients. I sign all my e-mail messages, but I can count on the fingers of two hands the people who have ever sent me signed e-mail. Leave out cryptography experts, and I only need one hand.
To sign your e-mail, you need a client certificate, a.k.a. digital identification. These are like the server certificates that secure Web sites use to support Secure Sockets Layer (SSL) connections. But server certificates do more than just activate SSL. They also authenticate servers to clients - that is, they prove to your browser that it's really connected to Amazon.com and not to some rogue site.
The dirty little secret of e-commerce is that clients aren't authenticated to servers. You know that Amazon.com is Amazon.com, but it doesn't know who you are; it knows only that you're somebody's valid credit-card number. Why not use a client certificate? It takes effort to acquire and use one, and nobody wants to slow the e-commerce juggernaut by asking people to make that effort.
It's long past time to rethink this lazy approach. The same client certificates that could help stem the growing tide of online credit-card fraud could also ward off these e-mail hacks. You can get a basic client certificate from VeriSign Inc. (www.verisign.com/client/index.html) for $15 per year. Or you can get one for free from Thawte Consulting (www.thawte.com/certs/personal/contents.html), which is a VeriSign company. At these sites, you fill out some forms, receive a certificate and install it into your browser. A basic certificate attests that the e-mail address it's bound to is the same one used to request it. That's a weak assurance of identity, but it's infinitely better than none. You can, of course, pay more for stronger assurance backed by real notaries and real paperwork.
How would digital signing have thwarted the Love Bug? I've configured my e-mail program to sign all outbound messages. Plus, I use the most stringent signing policy, which requires me to type the digital ID password once per message. A hassle, sure, but it beats wrecking my colleagues' disks and reputations.
People regard digital signatures as a geeky affectation. We should see them as a mark of professionalism. If we're doing business by e-mail, we should expect proof of one another's identities, and we should want to offer such proof ourselves.
Jon Udell is an independent Web/Internet consultant and the author of Practical Internet Groupware. Contact him at firstname.lastname@example.org.