why there is nothing like a “verified checkmark” for E-Mails of real companies like PayPal to distinguish their E-Mails from scams

1.89K views

why there is nothing like a “verified checkmark” for E-Mails of real companies like PayPal to distinguish their E-Mails from scams

In: 7499

69 Answers

Anonymous 0 Comments

There is. The primary problem is that people don’t always take time to actually look.

Each domain, like example.com can “blue check” their outgoing emails. Many mail servers will even reject incoming mail that doesn’t have the “verified check mark”.

The problem is that humans see an email, with the “blue check” from instascam.com saying their instantgram account is locked, click the link to instascam, their browsers loads the instascam webpage that they then enter their credentials into.

More details on how sent emails are verified. https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/

Anonymous 0 Comments

The entire internet was designed to not require any sender to prove their identity. In fact all traffic, as it travels through the internet, “self reports” where it came from, similar to how you can write anything you want in the return address of an envelope. The people who designed it were scientists and hobbyists and not thinking about the internet getting so big, and so important, that it would be worth anyone’s while to lie about where traffic came from.

Email protocols were invented around the same time. As such, they trust the “return address” that the sender claims to be. That’s just how it was invented, and the internet is now too big for anyone to propose a single, more secure system, that everyone would agree to adopt at once.

Instead, people have had to layer in “proof of identity” technology over the top of a system that doesn’t require it. One way is via “certificates,” that work a little like signatures. By comparing the signature on the email (or any data in general) with the “official” signature on file in some central trusted authority, you can tell it came from who it was supposed to. Some email providers like GMail now try to do this automatically, but this really only works if both the sending and receiving parties agree on who the authority should be.

Anonymous 0 Comments

The entire internet was designed to not require any sender to prove their identity. In fact all traffic, as it travels through the internet, “self reports” where it came from, similar to how you can write anything you want in the return address of an envelope. The people who designed it were scientists and hobbyists and not thinking about the internet getting so big, and so important, that it would be worth anyone’s while to lie about where traffic came from.

Email protocols were invented around the same time. As such, they trust the “return address” that the sender claims to be. That’s just how it was invented, and the internet is now too big for anyone to propose a single, more secure system, that everyone would agree to adopt at once.

Instead, people have had to layer in “proof of identity” technology over the top of a system that doesn’t require it. One way is via “certificates,” that work a little like signatures. By comparing the signature on the email (or any data in general) with the “official” signature on file in some central trusted authority, you can tell it came from who it was supposed to. Some email providers like GMail now try to do this automatically, but this really only works if both the sending and receiving parties agree on who the authority should be.

Anonymous 0 Comments

There is. The primary problem is that people don’t always take time to actually look.

Each domain, like example.com can “blue check” their outgoing emails. Many mail servers will even reject incoming mail that doesn’t have the “verified check mark”.

The problem is that humans see an email, with the “blue check” from instascam.com saying their instantgram account is locked, click the link to instascam, their browsers loads the instascam webpage that they then enter their credentials into.

More details on how sent emails are verified. https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/

Anonymous 0 Comments

The entire internet was designed to not require any sender to prove their identity. In fact all traffic, as it travels through the internet, “self reports” where it came from, similar to how you can write anything you want in the return address of an envelope. The people who designed it were scientists and hobbyists and not thinking about the internet getting so big, and so important, that it would be worth anyone’s while to lie about where traffic came from.

Email protocols were invented around the same time. As such, they trust the “return address” that the sender claims to be. That’s just how it was invented, and the internet is now too big for anyone to propose a single, more secure system, that everyone would agree to adopt at once.

Instead, people have had to layer in “proof of identity” technology over the top of a system that doesn’t require it. One way is via “certificates,” that work a little like signatures. By comparing the signature on the email (or any data in general) with the “official” signature on file in some central trusted authority, you can tell it came from who it was supposed to. Some email providers like GMail now try to do this automatically, but this really only works if both the sending and receiving parties agree on who the authority should be.

Anonymous 0 Comments

There are existing mechanisms of digital signing of emails/data/etc. involving public/private key encryption, but the technical complexity involved in setting it up is more then most who are even capable of doing so want to bother with individually.

But if you are interested, you should check out things like:

[What is Public Key Infrastructure (PKI)](https://www.digicert.com/what-is-pki)

[OpenPGP](https://www.openpgp.org/)

[The GNU Privacy Guard (GnuPG)](https://gnupg.org/)

[Gpg4win](https://www.gpg4win.org/)

Anonymous 0 Comments

There are existing mechanisms of digital signing of emails/data/etc. involving public/private key encryption, but the technical complexity involved in setting it up is more then most who are even capable of doing so want to bother with individually.

But if you are interested, you should check out things like:

[What is Public Key Infrastructure (PKI)](https://www.digicert.com/what-is-pki)

[OpenPGP](https://www.openpgp.org/)

[The GNU Privacy Guard (GnuPG)](https://gnupg.org/)

[Gpg4win](https://www.gpg4win.org/)

Anonymous 0 Comments

There are existing mechanisms of digital signing of emails/data/etc. involving public/private key encryption, but the technical complexity involved in setting it up is more then most who are even capable of doing so want to bother with individually.

But if you are interested, you should check out things like:

[What is Public Key Infrastructure (PKI)](https://www.digicert.com/what-is-pki)

[OpenPGP](https://www.openpgp.org/)

[The GNU Privacy Guard (GnuPG)](https://gnupg.org/)

[Gpg4win](https://www.gpg4win.org/)

Anonymous 0 Comments

The email system wasn’t really built to be secure. It was built during a time when the only people who had network access were researchers and students at universities. It was kind of a given that nobody was going to do nasty things because at one time you could make a list of everyone who had access to it.

There are ways people can authenticate they are who they say they are via a form of encryption called “shared key encryption”. But it means you have to take a few extra steps when both sending and reading email and that little bit of extra friction deters 90% of people who want email to “just work”. If it had been something people were taught to use from the start, email programs would support it more. But as-is you have to keep track of a special “key” file and if you lose it, you can’t send emails anymore. And every time a new person sends you an email you have to go download their “public key” so you can use it to make sure they are who they say they are. Some programs exist to streamline this but it’s always a little janky.

There are some looser ways to verify things that *some* email providers like GMail do for *some* entities. One of the janky things about the email system is I can forge an email that says it comes from paypal.com. But there’s a little bit of a paper trail in every sent email, and the emails that legitimately come from PayPal tend to have a paper trail that says they originate on PayPal servers. My forged email would have a slightly different paper trail. GMail sniffs that out and marks things as suspicious. A really determined attacker can hide the true source of the email, but unless they have access to specifically PayPal’s email servers they won’t really be able to make a paper trail that looks “right”.

A flaw in this is Google has to see quite a few emails to understand what that paper trail should look like, and it works best if you have your own internal servers that only your employees access to send mail. If you’re just a random small business, they won’t know what your paper trail “should” look like. They *can* verify if emails came from, say, another GMail account since that all happens inside their servers. So that’s a perk of using Google’s services to run your business email.

And in the end it just kind of… works. 99% of people know better than to click links in emails and start typing in personal details. We’re a world that takes joy in not going out of our way for the vulnerable 1%.

Anonymous 0 Comments

The email system wasn’t really built to be secure. It was built during a time when the only people who had network access were researchers and students at universities. It was kind of a given that nobody was going to do nasty things because at one time you could make a list of everyone who had access to it.

There are ways people can authenticate they are who they say they are via a form of encryption called “shared key encryption”. But it means you have to take a few extra steps when both sending and reading email and that little bit of extra friction deters 90% of people who want email to “just work”. If it had been something people were taught to use from the start, email programs would support it more. But as-is you have to keep track of a special “key” file and if you lose it, you can’t send emails anymore. And every time a new person sends you an email you have to go download their “public key” so you can use it to make sure they are who they say they are. Some programs exist to streamline this but it’s always a little janky.

There are some looser ways to verify things that *some* email providers like GMail do for *some* entities. One of the janky things about the email system is I can forge an email that says it comes from paypal.com. But there’s a little bit of a paper trail in every sent email, and the emails that legitimately come from PayPal tend to have a paper trail that says they originate on PayPal servers. My forged email would have a slightly different paper trail. GMail sniffs that out and marks things as suspicious. A really determined attacker can hide the true source of the email, but unless they have access to specifically PayPal’s email servers they won’t really be able to make a paper trail that looks “right”.

A flaw in this is Google has to see quite a few emails to understand what that paper trail should look like, and it works best if you have your own internal servers that only your employees access to send mail. If you’re just a random small business, they won’t know what your paper trail “should” look like. They *can* verify if emails came from, say, another GMail account since that all happens inside their servers. So that’s a perk of using Google’s services to run your business email.

And in the end it just kind of… works. 99% of people know better than to click links in emails and start typing in personal details. We’re a world that takes joy in not going out of our way for the vulnerable 1%.