Why you can’t verify who is emailing you, and why you might have been able to.

There is a pranker on the loose.  I tend to like pranks, as long as no-one is hurt, and this guy fits the bill.  He generates a free email account that looks like someone the recipient should know, and emails his target. So far, he has tricked the UK Home Secretary, the Governor of the Bank of England and various members of the Trump administration.  Irrespective of if you think this is harmless pranking, a supportable demonstration of security failures or outright terrorism, why do we not have a system by which we can verify who is emailing us?  That they are who they say they are?  The weird thing, is that we do!  Digital signatures are part of public key encryption, and can verify not only who sent an email, but the email hasn’t been tampered with in the post.  The question is why don’t we use them, and why are they not built into email programs as a matter of course?

I don’t think its a conspiracy, but I do think US government action that means we don’t have this.  As email started to take off in the 1990’s there was a moment where digital signatures could have been built into email clients, but the US government decided encryption technology could be regarded as a military “munitions”, and couldn’t be exported.  The same techniques that allow for digital signatures have this other use: encryption.  By declaring encryption and signing technology a munition, special licences are required to get it built into software that could be sold internationally, and that was just too hard. A culture of encrypting and signing our email was never created, and now we just write email, effectively, on the back of a postcard.

The restrictions were relaxed later, and now, if you look a the address bar for this blog you’ll see it says https.  That ‘s’ stands for ‘secure’, and uses the same technology the US government barred us from in the first place.

Leave a Reply

Your email address will not be published. Required fields are marked *