Computerworld - Here's a message I hope I'll never have to send: Hello. You're in my address book and therefore have probably been sent an e-mail "from me" containing a zipped attachment - which I supposedly received from (Sender), (Title) at (Prominent Company).
Do NOT open the zipped attachment - this is the worm virus in the news. Simply delete the e-mail.
Sorry, (Victim)
I received this pathetic missive in the wake of the so-called Love Bug's predecessor, ExploreZip.worm. These worms, while clever, are more socially than technically adept. A victim is attacked by a message that seems to come from an acquaintance. In reality, of course, the poisoned message comes from a trusted person's machine, not that trusted person.
After the Love Bug, experts made the same tired recommendations we always see:
• Disable macro languages.
• Ban attachments in corporate environments.
• Don't open any attachment you aren't sure about.
Will we ever learn? This isn't really about viruses and worms at all; it's about identity.
You probably do most of your business through e-mail, where you're represented by nothing more than an e-mail address. Everybody knows it's trivial to forge an e-mail address, and we now know it's also far too easy to hijack somebody's e-mail program. Sadly, a solution has been widely available - and almost universally ignored - for almost five years.
Since 1996, the e-mail clients bundled with both Microsoft's and Netscape's browsers have enabled us to digitally sign our messages and thus prove our identities to recipients. I sign all my e-mail messages, but I can count on the fingers of two hands the people who have ever sent me signed e-mail. Leave out cryptography experts, and I only need one hand.
To sign your e-mail, you need a client certificate, a.k.a. digital identification. These are like the server certificates that secure Web sites use to support Secure Sockets Layer (SSL) connections. But server certificates do more than just activate SSL. They also authenticate servers to clients - that is, they prove to your browser that it's really connected to Amazon.com and not to some rogue site.
The dirty little secret of e-commerce is that clients aren't authenticated to servers. You know that Amazon.com is Amazon.com, but it doesn't know who you are; it knows only that you're somebody's valid credit-card number. Why not use a client certificate? It takes effort to acquire and use one, and nobody wants to slow the e-commerce juggernaut by asking people to make that effort.
It's long past time
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
