Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Authentication

10/29/2019
01:43 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

MSFT Floats an ARC

As far back as 2015, the group responsible for Domain-based Message Authentication, Reporting & Conformance specification realized that one implementation was not going to solve the problem of email spoofing.

As far back as 2015, the group responsible for Domain-based Message Authentication, Reporting & Conformance (DMARC) specification realized that one implementation was not going to solve the problem of email spoofing.

It was apparent that some users (like those working with mailing lists) would be negatively impacted by the changes DMARC brought. Some workarounds were quickly deployed by service providers and those mailing lists. Two long-term solutions were submitted to the IETF for consideration. One of these, the Authenticated Received Chain (ARC), had a goal to engage the technical community in helping to refine and test the proposed solution with deployers such as Google, Microsoft and Yahoo.

Specifications of the ARC protocol were published in June 2019 by the IETF.

ARC protocol provides an authenticated "chain of custody" for a message, allowing each entity that handles the message to see what entities handled it before and what the message's authentication assessment was at each step in the handling.

Using ARC, signatures from domains that participate in it can be reliably linked to that domain. Also, intermediaries that alter a message can do so with attribution. This makes it extremely useful for forwarded messages.

Before ARC, modifications performed by intermediaries in email routing, like forwarding rules or automatic signatures, could cause email authentication results to fail by the time the email reached the recipient mailbox.

MSFT has said that, as of October 2019, it has integrated ARC into its Office 365 product by enabling it on Office 365 mailboxes. They further describe its use as, "All hosted mailboxes in Office 365 will now gain the benefit of ARC with improved deliverability of messages and enhanced anti-spoofing detection."

At the beginning of the effort, MSFT has only committed to using ARC in Office 365. MSFT says in the new roadmap that "Initially ARC will only be utilized to verify authentication results within Office 365, but plan to add support for third party signers in the future."

"More and more companies have been adopting DMARC and email authentication over the past few years, with more vendors and service providers adding the necessary support to their offerings in order to make that adoption simpler," Steven Jones, executive director of DMARC.org, said in 2015.

"With new protocols like ARC emerging to address the traditional email use cases that were problematic under some DMARC policies, and the leadership of forward-thinking companies like Google, Microsoft and Yahoo, I expect to see the rate of adoption accelerate globally."

But actually getting ARC done and implemented has taken a long period of time. Other major message handlers have added their own handlers and workarounds to deal with messages. However, Gmail and AOL validate through ARC at the present time so MSFT is playing a bit of the catch-up game.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-22864
PUBLISHED: 2021-10-26
A cross site scripting (XSS) vulnerability in the Insert Video function of Froala WYSIWYG Editor 3.1.0 allows attackers to execute arbitrary web scripts or HTML.
CVE-2021-23877
PUBLISHED: 2021-10-26
Privilege escalation vulnerability in the Windows trial installer of McAfee Total Protection (MTP) prior to 16.0.34_x may allow a local user to run arbitrary code as the admin user by replacing a specific temporary file created during the installation of the trial version of MTP.
CVE-2021-41866
PUBLISHED: 2021-10-26
MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly.
CVE-2019-3556
PUBLISHED: 2021-10-26
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where o...
CVE-2021-35499
PUBLISHED: 2021-10-26
The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim...