Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Authentication

10/29/2019
01:43 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

MSFT Floats an ARC

As far back as 2015, the group responsible for Domain-based Message Authentication, Reporting & Conformance specification realized that one implementation was not going to solve the problem of email spoofing.

As far back as 2015, the group responsible for Domain-based Message Authentication, Reporting & Conformance (DMARC) specification realized that one implementation was not going to solve the problem of email spoofing.

It was apparent that some users (like those working with mailing lists) would be negatively impacted by the changes DMARC brought. Some workarounds were quickly deployed by service providers and those mailing lists. Two long-term solutions were submitted to the IETF for consideration. One of these, the Authenticated Received Chain (ARC), had a goal to engage the technical community in helping to refine and test the proposed solution with deployers such as Google, Microsoft and Yahoo.

Specifications of the ARC protocol were published in June 2019 by the IETF.

ARC protocol provides an authenticated "chain of custody" for a message, allowing each entity that handles the message to see what entities handled it before and what the message's authentication assessment was at each step in the handling.

Using ARC, signatures from domains that participate in it can be reliably linked to that domain. Also, intermediaries that alter a message can do so with attribution. This makes it extremely useful for forwarded messages.

Before ARC, modifications performed by intermediaries in email routing, like forwarding rules or automatic signatures, could cause email authentication results to fail by the time the email reached the recipient mailbox.

MSFT has said that, as of October 2019, it has integrated ARC into its Office 365 product by enabling it on Office 365 mailboxes. They further describe its use as, "All hosted mailboxes in Office 365 will now gain the benefit of ARC with improved deliverability of messages and enhanced anti-spoofing detection."

At the beginning of the effort, MSFT has only committed to using ARC in Office 365. MSFT says in the new roadmap that "Initially ARC will only be utilized to verify authentication results within Office 365, but plan to add support for third party signers in the future."

"More and more companies have been adopting DMARC and email authentication over the past few years, with more vendors and service providers adding the necessary support to their offerings in order to make that adoption simpler," Steven Jones, executive director of DMARC.org, said in 2015.

"With new protocols like ARC emerging to address the traditional email use cases that were problematic under some DMARC policies, and the leadership of forward-thinking companies like Google, Microsoft and Yahoo, I expect to see the rate of adoption accelerate globally."

But actually getting ARC done and implemented has taken a long period of time. Other major message handlers have added their own handlers and workarounds to deal with messages. However, Gmail and AOL validate through ARC at the present time so MSFT is playing a bit of the catch-up game.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7779
PUBLISHED: 2020-11-26
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, [email protected]-----------------------------------------------------------!.
CVE-2020-7778
PUBLISHED: 2020-11-26
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.