Views, Reactions and Impact of Digitally-Signed Mail in e-commerce.

Similar documents
How to make Secure Easier to use

Privacy & Cookie Statement

Business Writing In English

Valley Blinds GDPR Privacy Policy. Introduction. What kind of personal data do we collect?

Oblong Europe Ltd- UK Data Privacy Policy

Spam. Time: five years from now Place: England

Security Using Digital Signatures & Encryption

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

Mobile Banking and Payments Emerging Trends and Opportunities

WITH INTEGRITY

Intro. So, let s start your first SMS marketing legalese class!

A Step By Step Guide To Use PayPal

COST PER LEAD ADVERTISING BY THE NUMBERS 10 Steps That Will Transform Your Acquisition Process

Public-Key Infrastructure NETS E2008

US 2013 Consumer Data Privacy Study Mobile Edition

Vistra International Expansion Limited PRIVACY NOTICE

McAfee S DO s AnD DOn ts Of Online Shopping

What information is collected from you and how it is used

DROPBOX.COM - PRIVACY POLICY

MAKING SENSE OF MULTICHANNEL MARKETING

ETSY.COM - PRIVACY POLICY

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

Privacy Policy Statement Last update 25 th May 2018.

Go Time for Mobile Wallets?

When you provide personal information to us it will only be used in the ways described in this privacy policy.

Preview. Mobile Payments. Payments Strategy Series. A Guide to Planning Your Approach. Price: $150

Unit 9 Tech savvy? Tech support. 1 I have no idea why... Lesson A. A Unscramble the questions. Do you know which battery I should buy?

Authentication & Authorization

Duplication and/or selling of the i-safe copyrighted materials, or any other form of unauthorized use of this material, is against the law.

CPET 581 E-Commerce & Business Technologies. References

Sarri Gilman Privacy Policy

10 Tips for Real Estate Agents looking for an Internet Fax Service

10 Steps to Writing Effective s

Microsoft Certified Trainer

Privacy Shield Policy

Privacy Policy. Version: August 2015 Mayfair Wealth Management Pty Ltd ABN Trading as AEGEAN WEALTH PARTNERS

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

How to Guide. How to create mobile surveys. and forms START

CAREERBUILDER.COM - PRIVACY POLICY

PRIVACY POLICY. Personal Information Our Company Collects and How It Is Used

IMPORTANT WORDS AND WHAT THEY MEAN

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Magento GDPR Frequently Asked Questions

register to use the Service, place an order, or provide contact information to an Independent Business Owner;

Naming and Certificates

Canadian Anti Spam Legislation (CASL) FREQUENTLY ASKED QUESTIONS

ICANN Start, Episode 1: Redirection and Wildcarding. Welcome to ICANN Start. This is the show about one issue, five questions:

Website privacy policy 25 May 2018

Making a Postal Complaint

Cloud Pricing Privacy Policy

Yammer Product Manager Homework: LinkedІn Endorsements

VISTRA (CYPRUS) LTD. PRIVACY NOTICE

Future Of File Sharing: Challenges of Portals, PDF Encryption, Tax Return Delivery & E-Signatures

News English.com Ready-to-use ESL / EFL Lessons

Hertfordshire Natural History Society

Navigate our app like a pro. How-to s, guides and more. Certified by J.D. Power* for providing An Outstanding Mobile Banking Experience.

REGULATED DOMESTIC ROAMING RESEARCH REPORT 2017

OUR PRIVACY POLICY. 1. Our Privacy Principles. 2. Information that We Collect from You. Last Updated: May 25, 2018

News English.com Ready-to-use ESL / EFL Lessons

Welcome to Numerica Credit Union s Amazon Alexa * Skill

The Dilemma: Junk, Spam, or Phishing? How to Classify Unwanted s and Respond Accordingly

Add Your Product to Clickbank

Thanks for using Dropbox! Here we describe how we collect, use and handle your information when

The data quality trends report

Canadian Anti-Spam Legislation (CASL) FREQUENTLY ASKED QUESTIONS

Prizetech Privacy Policy

Our Commitment To Privacy PRIVACY POLICY. Last Modified July 26, 2018

Electronic Service Only

The great primary-key debate

Ecological Waste Management Ltd Privacy Policy

Addressing Consumer Privacy

BEST PRACTICES FOR PERSONAL Security

Website Privacy Policy

User Guide. mpos Readers RP350x & RP457c Mobile Payment Acceptance User Guide for Android

AN INMATE S GUIDE TO ADMINISTRATIVE REMEDY REQUESTS AT FEDERAL PRISONS

Upgrade Your ONYX Customers...

DPX Pay Person to Person (P2P) Account to Account (A2A)

A Step by Step Guide to Postcard Marketing Success

ADMIRAL MARKETS PTY LTD PRIVACY POLICY

You can contact us about any questions, comments or requests you may have regarding this privacy policy using the details below:

Money Management Account

Cross Drive Analysis: A New Analytic Approach for Massive Data Sets

NDSU Lunchbytes. "Are They Really Who They Say They Are?" Digital or Electronic Signature Information. Rick Johnson, Theresa Semmens, Lorna Olsen

PRIVACY POLICY QUICK GUIDE TO CONTENTS

Phishing Read Behind The Lines

VozLatinum: About Your Points FAQ

Multi-Factor Authentication: Security or Snake Oil? Steven Myers Rachna Dhamija Jeffrey Friedberg

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

CSBANK ONLINE ENROLLMENT FORM CITIZENS STATE BANK

Privacy Notice. Introduction. What is personal data? Date Updated: 2/11/2019

Activity Guide - Public Key Cryptography

Managing Graymail. Overview of Graymail. Graymail Management Solution in Security Appliance

Adopting the Electronic Credit Application

Marketing Insider... 3 Section 1 Your List... 4 AWeber Basics... 4 Create your Account... 5 Exploring AWeber s Members Area...

General Terms and Conditions

Data Protection and Information Security. Presented by Emma Hawksworth Slater and Gordon

Roadmap to the Efficient Cloud: 3 Checkpoints for the Modern Enterprise

Hallmark Solutions Limited PRIVACY NOTICE

Privacy statement MediaLab

1.2. Survey Information. Company may collect Personal Information from you when you voluntarily complete a Company survey, order form, or a

Transcription:

Views, Reactions and Impact of Digitally-Signed Mail in e-commerce Simson L. Garfinkel (MIT) Jeffrey I. Schiller (MIT) Erik Nordlander (MIT) David Margrave (Amazon.com) Robert C. Miller (MIT) http://www.simson.net/smime-survey.html/ 1

Secure Email: Where are we today? RFC 989: Privacy Enhanced Mail (1987) PGP (1992) has failed to gain market penetration. S/MIME (1998): Support in Outlook, Notes, Apple Mail Soon in Eudora (this year!) No support in consumer web mail systems. A few other odd balls. After roughly 20 years of active work, most mail sent over the Internet is not secure. 2

If support for S/MIME is pervasive, why isn t use of S/MIME widespread? There are really two options: Option #1: S/MIME is hard to use. It s hard to seal mail for a recipient: You need their certificate. It s hard to sign mail: You need your own certificate. Option #2: Secure email just isn t needed.... But given the problems with spam and phishing, it s hard to argue that email security isn t needed. 3

Perhaps the problem is with this phrase, email security. There are many ways that email could be secured. Disconnected email islands. (1980s solution) Filtering (today s solution) Sender-certified or proof-of-sender Sender pays (financially or computationally) Proof-carrying messages Email security seems to be one of the grand challenges of computer security. 4

There are also many ways that an average person (like my mother) could use S/MIME To send S/MIME mail. sealed mail: She needs the recipient s certificate. signed mail: She needs her own certificate. To receive S/MIME mail. sealed mail: She needs her own certificate (and she needs to get it to the sender!) signed mail: She need sender s CA s certificate. (S/MIME messages come with the certificate of the signer.) Every S/MIME client ships with CA certificates for VeriSign, Thawte, and other well-known CAs. 5

Mail signed with an S/MIME certificate issued by a well-known CA will be verified by most email clients. Outlook Express Apple Mail But few organizations are sending S/MIME signed mail. 6

Amazon.com: The S/MIME Leader! In June 2003, Amazon.COM started using S/MIME to sign the VAT invoices sent to its European Marketplace Sellers. EU Directive 99/93/EU calls for the use of advanced digital signatures for certain kinds of electronic messages. Amazon sent signed mail to Europeans, but not to other merchants. This created an excellent opportunity for survey research. 7

Research questions that we wanted to answer: Did people have software to automatically verify the signatures? Did they understand what the software told them? What did they think that a signature on a message means? How did receiving signed messages affect their attitudes? These are open research questions. 8

There are many cases in which a signed S/MIME message has problems. Exformation:?...! Digital Signatures and Electronic Documents: A Cautionary Tale [Kain, Smith & Asokan 02] Do you digitally sign the email to your attorney with the contract that s under review? S/MIME is a lousy signature standard, but it s the signature standard that we have. 9

We created a web survey and posted links to it in the Amazon Sellers Forums: 5 web pages; 40 questions total 2 minutes to complete each page Different URLs for Europe vs. America Europe Sellers had received signed messages from Amazon. US Sellers had not received the messages 10

Survey respondents: 1083 sellers clicked on the link 470 submitted the first web page. 417 (89%) completed all five pages. Very educated: 26.1% advanced degree 34.9% college degree Very computer literate: 18% very sophisticated computer user 67.7% comfortable using computers 11

Findings on Attitudes: Roadmap 1. Statistical Techniques 2. Passive Learning 3. Knowledge and Attitudes 4. Savvy vs. Green 5. What should be signed? 6. What should be sealed? 7. What do the respondents have? 8. Risks 9. Conclusions 12

Interesting partitions of the survey population: Savvy: Europe (93) vs. US (376) Savvy (148) vs. Green (334) Rated their understanding of encryption and digital signatures a 1 ( very good ) or 2 on a 5-point scale. (23 and 53) Had knowingly received a signed message (104) Had knowingly received a sealed message (39) Always or sometimes send digitally signed messages (29) Significance Test: Logistic Regression with χ 2. Not everything that s significant is relevant! (Highest education high school: 16% Europe, 5% US, p <.01.) 13

Most can automatically handle S/MIME-signed mail Which computer programs do you use to read your email? Microsoft Outlook Express 41.8% Outlook 30.6% Netscape 10.1% Any S/MIME compatible reader 81.1% Eudora 6.9% (Webmail) 13.1% Fortunately, fixing the webmail problem doesn t require upgrading client software! 14

But most people who can receive S/MIME mail don t know it: Does your email client handle encryption? Yes 26.9% No 5.4% I don t know 58.5% What s encryption? 9.2% 15

Passive Learning Works! Practically speaking, do you think that there is a difference between mail that is digitally-signed and mail that is sealed with encryption? Yes 54% Europe** 67% US** 51% No 7% Don t know 39% Europe** 26% US** 43% ** p <.01 Users who received S/MIME-signed mail know more about encryption than those who didn t. 16

Respondents thought that signatures should be used for financial matters. What should be digitally signed? (E-Commerce) Bank or credit-card statements 65% Receipts from online merchants 59% Questions to online merchants 33% Savvy* 26% Green* 36% Advertisements 17% * p <.05 17

Respondents thought that signatures should be used for financial matters. What should be digitally signed? (General Email) Tax returns or complaints to regulators 74% Personal mail sent or received at work 40% Personal mail sent or received at home 40% Mail to political leaders voicing opinion 38% Newsletters from politicians 22% Most thought that signatures should be used for financial matters, but not otherwise. 18

Likewise, most respondents thought that sealing should be used for financial matters. What should be digitally sealed? (E-Commerce) Bank or credit-card statements 79% Receipts from online merchants 47% Savvy* 39% Green* 51% Questions to online merchants 18% Advertisements 3% * p <.05 Interestingly, those who are more familiar with encryption thought that sealing was less important for receipts. 19

Likewise, most respondents thought that sealing should be used for financial matters. What should be digitally sealed? (General Email) Tax returns or complaints to regulators 74% Mail to political leaders voicing opinion 38% Personal mail sent/received at work 38% Savvy*** 26% Green*** 44% Personal mail sent/received at home 31% Savvy* 25% Green* 34% Newsletters from politicians 3% * p <.05; *** p <.001 20

Companies that send digitally signed mail: On a scale of 1 to 5, where 1 is strongly agree and 5 is strongly disagree: Strongly Disagree5 4 3 Europe US Savvy Green 2 Strongly Agree Companies that send digitally signed mail are more likely to... 1 0 to have good return policies to be law-abiding To be based in the US Respondents don t think that sending digitally signed mail means that companies are better merchants 21

Digitally signed mail: Strongly Disagree5 4 Europe US 3 2 Strongly Agree Digitally Signed Mail 1 0 Is more likely to contain information that is truthful Is less likely to be read by others Respondents didn t think that digitally signed mail is inherently more truthful or less likely to be eavesdropped. 22

Free-Format Responses Many respondents wished they knew more about email security: I wish I knew more about digitally-signed and sealed encrypted e-mail, and I wish information were more generally available and presented in a manner that is clear to those who aren t computer scientists or engineers. This is an interesting topic... I had not thought about the need to send/receive signed or sealed e-mail for other than tax info. 23

Many respondents don t want any more complications! Most sellers do not care about digital signatures when selling on on-line marketplaces unless they are dealing in big sums of money in the transaction, even then I still do not care. I think it a good idea, but I m lazy and it s too much trouble to bother with. I know it s necessary, but it shouldn t be complicated to handle. 24

Conclusions: The Time for Signatures is Now. Even though most (58.5%) respondents didn t know that they could read S/MIME signatures, the vast majority (81.1%) could. People who have no interest in selling this technology believe that it should be used. Sending signed mail require zero training for recipients and zero keystrokes; but the results are visible! Amazon s out-of-pocket cost was trivial. Companies that send out email should probably sign it. Questions? 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback