We’ve all had one, an email claiming to be from your bank, asking to verify you details…
…and, whilst most people know to never, ever, click a strange link in an email, especially, if it’s asking for personal details, and to always go to the website of your bank (or company the email claims to be from), and log in there, making sure your details are being sent, securely, via a trusted SSL connection! (which is done every time your browser shows “https://” in the URL bar and/or a padlock symbol is shown on your browser*), there are still the small minority who will happily pass over their personal information to an unknown site, because they’ve received an official looking email in their inbox!
*The padlock symbol MUST be shown in the browser window, and NOT on the web page itself!
But with all this talk about phishing emails, it’s only natural that, as human beings, we have become skeptical of every email that arrives in our inboxes! Some companies, such as eBay, include your username in the email, which they claim, proves the email is from them, as only they know who’s connected to the email address they’ve just sent the email to!
Though, as I’ve pointed out in a previous post, there can be flaws in this plan! For example, lets say, you told some people, on a forum maybe, that you’re selling something on eBay and they should take a look, and if they have any questions, they can email you. At that point, Joe Public, has your email address and your eBay account name. That is all they need to spoof a convincing, official looking, email from eBay!
So what CAN really be done? It sounds like we’re snookered now, right? No
There is something that could be done, and in my opinion, should, be done! For a few months, I have been using PGP to sign all my emails, even though, not many of my contacts have a PGP decoder on their system! If someone wanted to check the validity of my message though, they can install PGP (or, in my case, GnuPG) at any time and check the message and its signature.asc file attached to the message against my public key.
PGP itself has been around for almost 20 years now, and webmail has been around, at least, 15. I often wonder, why hasn’t any of the webmail providers included support for PGP. If they did, companies like eBay, or even your bank, could generate themselves a private key, have it verified by about 100 people, and send their public key to their customers/members (or make it publicly available on their site). That way, they can sign every email they send to their customers with their key, and the user would easily be able to see if the email is genuine, simply because only the company can sign an email with that particular key!
A similar system, SSL (Secure Socket Layer), is used to encrypt websites where you use personal information, so surely a similar system could be used for email. If more people used PGP, then personal details could be safely sent to and from the customer via email too, as long as the emails themselves are encrypted, though, I personally think that latter idea might not be a terribly good one, due to the nature of somebody forgetting to press the “encrypt” button, sending their account details in plain text, and most likely ending up with someone in court!
So that’s my theory anyways, companies should sign their emails to make sure their customers/members know the message can be trusted, and webmail companies should provide a way for users to generate, and/or use PGP keys in their system!