Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Gmail Deploys Support BIMI Security Standard (therecord.media) 50

Google has rolled out support for the new Brand Indicators for Message Identification (BIMI) standard to all Gmail users as part of an effort to improve email-sender authenticity. From a report: The new standard is hard to comprehend for non-technical users, but it basically allows companies that have implemented email security standards like DMARC, DKIM, and SPF for their email domains to show "authenticated logos" inside email clients. Since all these security protocols rely on digital certificates and advanced cryptography, the verified logos will only appear for a company's real email domain and not for spoofed emails sent by scammers or cybercrime groups.
This discussion has been archived. No new comments can be posted.

Gmail Deploys Support BIMI Security Standard

Comments Filter:
  • * How does this help visually impaired users?

    * What is stopping a regular weirdo to use BoA's logo or anything else as their profile picture?

    * Couldn't a regular phishing alert be deployed instead of making this system rely on users look at pictures?

    • by truedfx ( 802492 ) on Tuesday July 13, 2021 @02:05PM (#61579071)
      The article gives a very strong impression that this is not for the benefit of users at all, that this is for the benefit of the companies, so whether it helps visually impaired users is not relevant.

      According to a 2018 trial with Yahoo users, Verizon said that after adding verified logos next to inbox emails, they saw a 10% increase in customer engagements, as users tended to click on emails with a logo more often, driving traffic to companies which tested the technology.

      • Are you sure [youtu.be] about that?

      • Sounds to me as though this is a carrot approach to incentivize companies to set up DMARC, SPF and DKIM appropriately. Sounds like a pretty smart plan to me. Have the money center of a business (Sales/Marketing) push for a technology that they want, which happens to require a secure configuration.

      • It is purely a marketing gimmick, nothing to do with security. If there was any security benefit it would have seen uptake twenty years ago when it was first introduced as a PKI element [ietf.org], as opposed to the current reinvention by the Google children. Presumably Google has some way of monetizing this, which is why they're doing it.
      • The article gives a very strong impression that this is not for the benefit of users at all, that this is for the benefit of the companies,

        Why not both? Can you point me to some economic principle that shows there can be only one benefactor for any development?

        It is logo based advertisement and brand recognition which benefit companies.
        It is cryptographically ensured that these logos match said companies and don't get spoofed by phishers directing you to www.paypal.com.ru which is of benefit consumers.

  • Today, only DigiCert and Entrust can issue VMCs for BIMI authentication, but in a press release, the BIMI team said they expect the list of supporting Certification Authorities to expand in the future.

    So, this is like those Verified "green-status-bar" (Extended Validation?) certificates back in the day, which were triple the cost of a standard certificate, but for email? Also, no support for Let's Encrypt, either. I wonder if the VMC will require a EV certificate as well?

    • It is worse, the cost is pretty high and you also need to have your logo trademarked beforehand that is a fairly long process.

      • by mysidia ( 191772 )

        pretty high and you also need to have your logo trademarked beforehand

        Worse than that it appears to indicate for example in the US: a registration with your local state office would be inadequate, and you must register nationally with the USPTO -- That takes over a year potentially to go through this process and while the app fees for a logo mark and renewal are significant, But in reality you need to hire a lawyer to ensure it gets done properly and accepted, because the process is complicated.

        DigiCert's

        • That is a long time..

          In here it took a bit more than a month to get a trademark registered and no lawyer needed.

      • In the US perhaps, but in many countries it can be relatively cheap & quick. But that begs the question: Trademarked where? What if there's a regionally conflicting trademark? Does the domain have to be registered anywhere in the entity's trademark documents?

        Validating regional trademarks is waaay too much work to be practical.

        Filter error: Your comment looks too much like ascii art.

        WTF?!

    • by mysidia ( 191772 )

      Yes, except it is even worse... Whoever's writing these standards is not Doing it in the public interest IMO; It's a clear money grab.

      This will Only protect large companies, Because they are requiring you have a federally registered trademark which is in itself a process that costs more than $300, then it looks like it's going to be another $1500 for the VMC certificate.

      Well.. It certainly is Not a lot of Non-profits and Smaller businesses who can be targeted by Phishing attacks just as much and ha

  • by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Tuesday July 13, 2021 @01:30PM (#61578909) Homepage

    It's been possible to authenticate email senders via S/MIME for years now and virtually all email clients support it, yet virtually noone bothers to sign their messages.

    • Also, modern smartphones have all the capabilities to sign with a legally valid digital signature stored in your passport.

      Technically, any e-mail client should be capable of letting you write a mail, choose "sign", hold your passport up to your phone's NFC, and enter some password.

      The phone could also serve as a reader terminal for your PC.
      (Because of its secure enclave chip. IFF you trust it or have full access.)

    • Funny enough I started signing my emails a few months back with S/MIME.

    • by ceoyoyo ( 59147 )

      Yeah, but this is corporate logos! Everyone wants their logo on things! Now we can get spam we can trust, only from companies rich enough to pay off a bunch of other companies that produce special numbers. This is truly a historic moment for the Internet!

    • In 1993, I started developing a product that supported PEM and S/MIME. It also supported SFTP, FTPS and encrypted FAX. It supported DKIM (before it was adopted by scammers and spammers). And, it supported SenderID when that became available.

      At the time it was ready for market, Microsoft and Netscape offered S/MIME in their products. My product was much easier to easier to use and setup. But, how do you compete with free? And endcap in CompUSA was $250K. And, back then, it was hard enough convincing

      • by Anonymous Coward

        We do have fantastic encrypted communication chat tools like Signal. But, not really for email.

        Yeah, well, it doesn't help security when ISPs frequently (and intentionally) deploy Cisco PIX-like appliances to intercept outgoing SMTP traffic, remove the STARTTLS advertisements from EHLO responses and return "500 #5.5.1 command not recognized" responses to STARTTLS commands. Just so they can scrape your email for marketing purposes.

        • Thatâ(TM)s why encryption and signing needs to happen in the client and not on the mail server. They canâ(TM)t scrape what they canâ(TM)t see.

          However, unless there is a way to hide the headers, they can still do traffic analysis. But, if the clients do their job properly, spam shouldnâ(TM)t ever be seen. Naturally, that wouldnâ(TM)t sit well with the big iSPs.

    • by tlhIngan ( 30335 )

      It's been possible to authenticate email senders via S/MIME for years now and virtually all email clients support it, yet virtually noone bothers to sign their messages.

      People must be using it, because most S/MIME certificate providers charge for them now. They used to be free, but most now charge every year for a certificate.

      Granted, there's one or two of them that are still providing free certs.

      • by Bert64 ( 520050 )

        Yes it's gone backwards, while certs for HTTPS are now free and ubiquitous, certs for S/MIME are much more difficult to get.

    • Because what's the point? Any technically good solution fails when it relies on a user checking something. Signing is not a silver bullet either (and neither is this) as it is trivial to sign a phishing email, just like it's trivial to get an SSL certificate and a lovely padlock symbol for your fake domain.

      This is just another tool in the toolbox.

    • Sure they do. I get spam newsletters from Walmart. Walmart doesn't even exist in my country, and I have never signed up to receive email from them or from anyone who wanted to send email on behalf of "our affiliates" or similar.

      Yet these spam newsletters are signed with walmart.com's domain certificate. Signing your mail with a "legitimate" domain certificate is a great way to bypass many mail services' spam detection, so big corporate spammers do it all the time.

  • So your small busoness's own e-mail server's mails are blocked and end up as spam...

    Fuck Google. Block them wherever you can.

  • Overhead (Score:4, Insightful)

    by WoodstockJeff ( 568111 ) on Tuesday July 13, 2021 @01:41PM (#61578975) Homepage

    As more and more "standards" are added on to "make email secure", the message header grows to exceed the content of ever larger messages.

    Even a 20-line phishing message sent by a compromised hotmail account has 85 lines (over 6K characters) of authentication header, to prove which compromised account it was sent by. If the compromised account is an Office/365 user, it's even higher.

  • by spending effort stopping spammers from sending from their gmail users. I now reject any gmail senders I don't know, and yes the spam is coming from google servers, fully authenticated real gmail accounts.
  • Branding may be a marketer's daydream, but it's not something people should be eager to see more of.

  • We need to flag the bad users not approve of the good ones. If you don't know that domain should include special security then we gain nothing.

  • I get a lot of spam that has the headers all in order. This means that anyone can game email delivery services like Gmail, Constant Contact, SendGrid, Salesforce, and others to send you phishing email with an 'authenticated logo'. This only makes it harder to solve issue around phishing. Of course it comes from Gmail, the biggest spam service of all.

  • by Gravis Zero ( 934156 ) on Tuesday July 13, 2021 @02:41PM (#61579195)

    I'm no security expert... but if they are using a lookalike domain name, can't they also use an identical brand mark? Also, what about client image caching? When you bypass the caching you now have a tracker in every email.

    • Currently at least it must trademarked, so lookalikes are not easy to register.

      • Register? It's a decentralized system. Do you think email servers are really going to waste cycles checking for trademark infringement? They would literally have to render every single image, do a comparison, and hope that clients render SVG the exact same way.

        • They will check the certificate. The certificate issuers will check for the existence of the trade mark. They authorities will check for infringement when you register the trademark.

          • Certificate issuers? What certificate? This isn't TLS.

            • Bimi requires the sender to send a special certificate along with the mail message. That special certificate is expensive and requires the trademark on the logo to get.

            • No it's not. We're not talking about SSL certificates. We're talking about Verified Mark Certificates which is part of the standard. No VMC, no BIMI mark publication.

              • Is each email cryptographicly signed? If not then I'm failing to understand what prevents you from just copying the certificate and using it.

                • Technically yes. This entire process rides on the back of DMARC, DKMI, and SPF, each verifying that the mail is unaltered, and originated from the domain owned by the sender. No doubt it won't be perfect. This signature is not to certify the mail as legit (we already do that with the above lettersalad of bolt-ons to modern email), it's to certify ownership of the mark.

                  • I read over the closest thing I could find to a spec [bimigroup.org] and it seems like it might actually hold up.

                    I can't help but get the feeling that they are trying to go back to when SSL certs were expensive and only for businesses. I wouldn't be surprised if the next move is to amend the TLS spec so that a "brand" favicon is embedded which Chrome will obviously make prominent by the URI.

                    • To be honest that's not actually a bad idea providing companies provide proper due diligence. I don't like how EV certs were abandoned. A multi-tiered system is not actually bad. Cheap SSL certificates to certify the server communication isn't compromised is enough to stop MITM attacks. But I actually liked the days where if I visited eg. www.bankofamerica.com it showed up "Bank Of America" in the address bar thanks to certified (and yes, expensive) EV certificates.

                      If this is only for businesses, fine. Near

                    • EV certificates were never abandoned, they were kneecapped by no other than Google themselves. [wikipedia.org] Other browsers followed their lead. I don't think it was a smart move by any of them.

                    • Agreed.

      • Not easy to register, no. But you can set one of these logos as your avatar image and it will appear next to any messages you send, no registration required. Sure the sending email will be gibberish@gmail.com, but will anyone actually check the sender when the message has the "verified" logo next to it?

    • by Moskit ( 32486 )

      This could be as "secure" as the banking systems which show you "password prompt with a personally chosen picture to let you know this is real bank".
      An attacker would just enter your username, download the "personal" picture from the bank password prompt itself, and then show it to you when phishing.

  • by Anonymous Coward

    We need a new standard that allows distinguishing standards from "standards", where the latter only serve as a way to further one company's deeply anti-competitive, "use our product or die" practices

  • Gmail deploys email tracking bug in every email

    Every "brand" is a tracker because if you actually load the brand then you are making a request to their server. Furthermore, the brand must be a SVG file. The standard says it must be SVG Tiny 1.2 but we all know some clients are just going to load it if they can and not worry what it actually is. This means, someone will start serving up an SVG that has embedded JavaScript and most clients are just going to accept it and execute it. That will make for an exceptional tracker or in the case of careless

  • Sounds like only hackers skilled enough to steal certs will spoof corps. Swell. It's good to know that the money they steal will go to smart self-interested types who are good a hiding their funds. Or to hackers... whichever, really.
  • Certification Authorities: LetsEncrypt is eating our lunch. How can we make more money?

    Certification Authorities: Invent a new type of certificate for brand logos and convince everyone to use them!

    Certification Authorities: Profit!

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...