Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Why big email providers don't sign the email?
3 points by ddalex on Feb 4, 2016 | hide | past | favorite | 1 comment
I completely understand the resistance of Gmail and the likes to full end-to-end email encryption.

What I don't understand is the resistance of cryptographically sign the outbound email and discard incoming spoofed emails that don't have proper signatures. This simple move would create a high barrier for phishing emails since they don't have valid signatures for the organization that supposedly sent them.

Do you have any insight in this scheme ?



Signing without encryption is worse than useless by providing a false sense of security (see e.g. http://th.informatik.uni-mannheim.de/people/lucks/HashCollis... , MD5 used as an example); and costs to start signing are virtually identical to encrypt-and-sign (not just financial costs to providers: most of all time-and-effort for everyone, including users).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: