I’m wondering if it is worth it for most medium-large organization or if this is specifically worth it if you are doing a lot of commerce and sending e-mails to customers etc.
Furthermore, (stating the obvious) DKIM, SPF and DMARC are also implemented by malicious parties and only authenticate that the server was allowed to send using a particular domain name. BIMI seems to require a VMC (Verified Mark Certificate). Is this verified and is it effective in preventing unauthorized parties from BIMI verifying their domains using stolen brand logo’s etc.
Also, is Microsoft Outlook (still) not supporting/adopting BIMI?
BIMI is worthless. It's a carrot to get your marketing department on board with setting up DMARC because they are the most likely to push back due to fears of the project affecting their email deliverability. You have to fully deploy DMARC to setup BIMI.
Now, BIMI and the costs to "verify" your mark is pushed by exactly the same people who tried to sell you extended validation SSL that would turn your browser address bar green when you visited a site that had gone through this verification.
Just like with EV SSL, BIMI has no positive impact on user security. They're just as likely to open / not open an email with BIMI as they are to visit a site with or without EV SSL. In some cases, it's actually worse.
The only benefit to BIMI is it gives you another place for the marketing department to stick the logo so they'll stop fighting the DMARC rollout. That's it. Otherwise it's total waste of money and time.
DMARC roll-out in itself could also attract the marketing department because it improves deliverability under the hood. I also think implementing SPF, DKIM and DMARC can be done without compromising availability by planning and monitoring well.
BIMI looks to be exactly as broken as EV, in that it assumes that company names and logos are unique - which they are not. It also suffers from the vast majority of legitimate emails not having it.
The only people who benefit from BIMI are the ones selling the quite expensive certificates.
As an end user, this is gimmicky to me, and I wouldn’t want to use an email client that causes the respective emails to appear more prominent by showing their BIMI logo. It would be similarly annoying as emojis in the subject line.
Here’s what we wrote about BIMI. Some selected excerpts:
> To ensure that logos are actually truly representative of the brand involved, and more cynically, to make money and penalize small senders, an optional Verified Mark Certificate can be added to the DNS records, which some mailboxes will validate before showing the logo.
> Unfortunately VMC certificates cost upwards of $1000 USD to purchase. Which puts them out of reach for casual or small senders (of which we are big supporters here at MailPace), and undermines the BIMI effort overall.
I think it's a good initiative, it's obviously there for CAs to make a buck but it's finally a way to arguably curb phishing emails that rely on similar domain names or IDN characters all the while making your brand identity more prominent.
It seems to also have learned from one of Extended Certificate's shortcomings by relying on trademark instead of company name. I actually wish something similar was created to replace EV certificates as it's easier than ever to perform phishing attacks now that everyone and their grandmas has a DV certificate on their site (which is a good thing).
Trademarks still aren't 100% unique, though. For example, Apple Records is easily confused with Apple Music - both have a similar name, and both use an apple as logo. It is better, but not foolproof.
Maybe not intentionally, but a basically-dormant company like Apple Records could very well provide a really attractive attack vector. Their security is probably going to be orders of magnitudes worse than Apple Music, so why not just hack Apple Records instead?
Registering a domain and hosting a phishing website usually comes at a small price (around 10$) which is just 1% of the VMC (I just learned that).
“Expensive” is very subjective, I think it highly depends on the financial standard of the actor and the expected value.
In the case of Apple: if it is expected to aid in phishing an interesting iCloud user, or scamming 100 users for 10$, then I expect that there will be actors that will pay this initial cost to make more later on.
I agree that the classic mass-mail LQ phish actors would probably not go here, but the same holds for smaller organizations. With the current price-tag, end users then still have to trust non-BIMI and BIMI verified e-mails daily.
That seems to leave plenty room for phishing. Also, if VMC prices drop, it will also attract more phish actors.
Though I see your point, I do not think that a financial bar is effectively combatting phishing.
I do not know how valid the paper trail concern is; I haven’t gone through the VMC procedure(s).
You don't just need the VMC itself, you have to get a registered trademark, which is also probably up there in the thousands.
> I do not know how valid the paper trail concern is; I haven’t gone through the VMC procedure(s).
You can currently steal a credit card, lie to a registrar and start your phishing campaign. Having to have a legal entity for a phish paints a nice target on your back.
I haven’t been through the trademarking process myself, but I would assume that a LOT of them exist.
Would it be possible to register a trademark that looks similar to another company’s and impersonate them? I can’t imagine the process would be 100% effective.
Sure the company would probably notice pretty quickly, but not before you’ve spear phished a couple clients.
BIMI solves various problems DMARC/DKIM/SPF still leave open. In that sense, I applaud the initiative.
The $1000 certificate makes it unusable for anyone but the most annoying marketeers, though. Any EV certificate would've worked to serve the "business verified by a trusted third party" requirement, but CAs being CAs, they had to invent a new certificate for business reasons.
The process is further complicated by leaving it open to recipient servers whether or not they actually trust you after buying the special certificate. This does make sense for the small number of companies actually using BIMI, but it does hurt the scalability of the solution.
It's helpful to raise the priority on fixing DMARC in an organization.
It is annoyingly expensive, but I'm expecting it to change with additional CAs entering the market. Very "EV" vibes though, but it is literally for that, so.
End users might also appreciate something nicer than autogenerated one-letter icons. Matter of taste.
It also makes phish stand out more than usual, if the user has grown accustomed. We'll see its efficacy long-term though, too early to say.
> OpenAI cannot tell you if a message is spam, sorry, unless your prompt engineering skills are much better than mine.
Sometimes an e-mail message itself does not even contain enough information to accurately classify it as spam or phish.
To a degree, spam is subjective. And classifying a phish may not be trivial at all (e.g. message may include legit marketing links, open redirects and server side logic to serve certain pages only to targets, etc.).
Thank you for that comment, I don't think it's something many people really understood. The same is true for phishing websites. So much depends on the context and incomplete background information. Is a website that asks you to put in your username and password bad? Well, it depends on what the website does with that information in the background. I've seen very suspicious websites asking for user information which were, in the end, just sites set up by marketing departments of the larger company who were unaware of the dangerous precedent they were setting.
Yup, when I order something I get really annoyed that I get an email for every fart that the delivery driver lets out. I'll hear the doorbell, I don't need 500 anticipatory emails. It's not a scam, not a phish, and it's 100% factual and "informative". But still junk.
It isn't spam though (being a part of a real commercial relationship, and having a working unsubscribe link), and marking it as such poisons your spam filter.
Yep, it's a wrapper around some cryptographic primitives that is fairly misuse-resistant. It's not hard to screw up using the individual primitives in such a way that you lose the desirable cryptographic properties (for example, not authenticating the IV, making the plaintext vulnerable to CBC bitflip attacks); it's harder to screw up using Fernet.
I hope important websites do NOT move out of the public neighborhood (CloudFlare) to discourage honouring block requests (and ultimately also these requests from being requested) from incompetent regulators.
Fortunately, CF is great at providing DDoS protection and adaptive WAF services; which should incentives other website owners to keep using CFs services. And even better, now it cannot happen anymore because it violates (whatever is left of) net neutrality- awesome.
Have you read the adorable article? I’ll quote it for you in case you missed it.
> “With regard to the blocking of access to the IP address 190.115.18.20, the Telekom Control Commission found a violation of Article 3 Paragraph 3 of Regulation (EU) 2015/2120, because the IP access block poses the risk of ‘overblocking’ any website content.”
> I am very glad that I live in a country where you are not allowed to record and process this
Hehe, I don't even know if I do but honestly I'd be happy to let it come to it. Sometimes it takes a little escalation to bring about change. For sure I'll have a look though to see what the law says here.
I know how selfish I am here but I value my kids' and my community's kids safety higher than other people's privacy. And it's not that I'd publicize the footage. Not even the offenders'. Yet :)
> I do not think that this is the solution.
I can't wait for someone to implement a "solution" because that usually requires people actually dying.
I understand where you are coming from and it doesn’t read like your goal is selfish.
Growing up my parents didn’t allow me near certain parts because of the risk of accidents, but I was fortunate enough to have a wide area to run around where it was much safer.
Even if you know who the offenders are, it’s not always directly solving the problem.
Come now, dressing your point in logical symbols doesn't make it less churlish.
We're talking about people operating motor vehicles on a public taxpayer-funded way. Clearly the public has a right to see them do it?
In California at least there are laws that limit how darkly you can tint your windows, because driver visibility is recognized as part of safe driving, eh?
What is your point? I am saying that the country where I live does not work that way and I am glad that it doesn’t.
We’re not talking about _operating motor vehicles_. I am talking about the constant recording and processing of data captured in public places without a permit.
Privacy is not one-dimensional and it should not be.
The general discussion is definitely prematurely focused on some sort of end-boss fight, while AI and large scale data collection are causing serious harm and privacy concerns to real humans already. It’s only reasonable to expect that this increases in the future.
I would like to see more discussion focussing on these pressing issues.
Also a pause on AI development is not an option, not a solution and is digressing from the issue at hand. Big capital with their hands on big valuable data will support anything that distracts here.
Finally, I do think that AI also brings many positives, I am not against the technology itself at all- we shouldn’t be.
name a single reason why a pause is not an option. dont say why it would be hard or unlikely or inconvenient or whatever, to exclude it as a possibility means it has to be physically impossible.
of course it isnt physically impossible. AI requires large compute, large resources. you cant advance the state of the art inconspicuously. the only reason you say it isnt an option is because you dont consider AI an existential threat, really, and therefore extreme measures arent justified. but they actually are.
We are already facing numerous existential threats at the moment, even ones that are deliberately made to be an existential threat, take nuclear weapons.
“Hey fellow nation states, let’s not create nuclear bombs, but let’s pause developments and keep the current power dynamics fixed please” is completely unrealistic. Mind that creating nuclear weapons actually requires technical operations that are factors more complex than “large compute” in many aspects… like… enriching uranium and working with supercritical masses.
> you cant advance the state of the art inconspicuously.
That's not even a valid request. There is obviously no valid reason to require such a pause in the first place. You've been watching too many scifi movies and don't understand the technology.
The way that we deal with CAs now developed so much after these issues were disclosed.
It is actually adding to my argument. The NSA and any other government entities REALLY WANT to control these certificates. However, our interaction with CAs became much more secure now because we learned and developed things like CT logs. Major browsers are removing entire CAs from their trust store if shady stuff happens ASAP. You can’t do the same with TLDs. This argument is made frequently on here, why would you even want to propose to regress into stuff like DANE…? DNS servers are such a bad trust anchor, if you could even call it a trust anchor at all.
If you want to discuss further, I ask you to stay on topic instead of name calling.
I think that a lot of offensive tools to tunnel IP over DNS actually overcame these limitations in real time, at the expensive of throughput [1]. It obviously does require agreeing on some sort of protocol on both sides though.
It’s more interesting to know how they are handling the privacy in the application itself.