Our computer security problems are our own fault

October 26, 2022

Over on Twitter and the Fediverse I said something:

A quiz: you've a normal, ordinary person and you've received an email with a PDF invoice attached (so it says). You click on the invoice in your mail program and it shows you this. What are you seeing and how alarmed should you be?

A blurred invoice in the background with an 'Adobe PDF / Sign in to view invoice payment' dialog on top, asking for your password.

The spoiler is that this is the 'HTML attachment presented as a PDF attachment' phish that I talked about yesterday. This isn't a real PDF that's been encrypted and magically needs your password to unlock; this is a HTML form that will send your password to the phisher if you try to 'sign in' to see the PDF.

(This image is from a browser instead of a mail client. A mail client I tried rendered it somewhat differently, but I don't know how other ones behave. As covered, since spammers do it I have to assume it works in enough environments to be useful.)

We (the computing community) did this to ourselves. We created a situation where a HTML attachment received in email could plausibly look, to ordinary people, like something that would appear from trying to look at an ordinary PDF. There are a whole bunch of individual pieces and steps that got us here, each sensible on their own in some view, but the collective result is that we did this to ourselves. We have no one else to blame when ordinary people fill in their password and hit 'Sign in'.

These steps aren't just displaying HTML attachments and PDF attachments in mail clients in a way that's hard for ordinary people to immediately tell apart if they're not already suspicious. It's also things like creating a world where opening an attachment might plausibly require a password or additional authentication to actually see it. It's a computing world where you can be challenged for authentication at what feels like random times for random reasons and there's enough noise that what's one more roadblock in the way of getting your work done.

(On a larger scale, there's also the issue that we have no general secure file transfer system beyond 'mail people documents that are encrypted in a variety of ways', ranging from 'locked' PDFs to encrypted ZIP archives to more technical options.)

I don't have any solutions. I'm not sure a solution is even possible at this point. Come back in fifty or a hundred years; maybe we'll have figured one out by then. Or everything will have changed so much that the problem is irrelevant.


Comments on this page:

By Andrew at 2022-10-26 22:28:20:

And of course 80% of our "real apps" are written with HTML and CSS, so of course a random webpage (or bit of HTML embedded in whatever) is going to be trivially able to disguise itself as a legit app!

Some possible small steps that could be part of a solution:

- all tools/apps that display a web page or web content should have a way of showing the true URL(s).

- all tools/apps should use a system-wide allow-list of domains, if there is one.

- all sites where you have an account should let you set a "badge" (image) in the profile, and that badge should be displayed to you after you give username in a login page. If it's not the right badge, you know you're not talking to the right site.

- all sites where you have an account should let you set an optional allow-list of IP addresses or IP address ranges in the profile, and login is allowed only from those IP addresses.

I'm sure the bad guys will find ways around some of this, eventually.

I read e-mail in Emacs, so this can't affect me.

We (the computing community) did this to ourselves.

No, businesses did this to the world.

I don't have any solutions. I'm not sure a solution is even possible at this point.

For normal people who must obey the businesses doing this, there are none, no.

Come back in fifty or a hundred years; maybe we'll have figured one out by then. Or everything will have changed so much that the problem is irrelevant.

Eventually, this nonsense will collapse underneath its own weight, and perhaps what comes later will be better.

By Alexander at 2022-10-27 16:30:51:

We (the computing community) did this to ourselves.

I disagree with this phrasing. Sure at some point a member of the "computing community" did implement all the things you listed, but this is often (I argue mostly) done to satisfy consumer/boss/market demand.

To use html-email as an example: It's not like programmer#42634 at BigCop can say "I won't add this html crap to our mail client" - or he can say it once and then leave. The company (very probably rightfully so) thinks that the average market favors an email client that can contain unsafe but "fancy" html over the safe but "ugly" text-only client.

Same with inconsistent security practices that lead to unclear situations when and where users can expect to input passwords: Real security is available but basically not used by the average user. Why? I think because (often) to be really secure you get more friction and problems than it is worth for the average user. Given the choice between validating pgp-keys (or checking some other cryptographic signature) and simply trusting that the the sender bob is bob (an assumption that is more often correct than it is not in your day-to-day life) - I think I know what most people choose.

The average user does simply not care about being this secure. He might say he does - but his actions speak otherwise as soon as he actually has to do the work for it or give up some "features". And no - it is not possible that "we" magically can do this 100% for him and he bears 0% impact.

Try mandating text-only mails in your network and report back who complains more (on average): "the computing community" or all the others users.

I also tend to think that those trade-offs are inherent and can probably be lessened but not completely avoided. Here I see the "action item" for "the computing community": Try to minimize that trade-off as much as possible.

we have no general secure file transfer system

And we never will because it would be too useful for piracy… which is a concept we invented because as a society we made the decision that commerce should be the mechanism by which art and culture should be funded.

Other approaches would be possible and the technology we have would admit network structures that would accommodate them, but deeply rooted societal structures would have to change first.

Written on 26 October 2022.
« An email phish attempt using attachment file type confusion
Scripts and programs should skip having extensions like '.sh' and '.bash' »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Wed Oct 26 21:08:26 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.