Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Authentication

10/29/2019
01:43 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

MSFT Floats an ARC

As far back as 2015, the group responsible for Domain-based Message Authentication, Reporting & Conformance specification realized that one implementation was not going to solve the problem of email spoofing.

As far back as 2015, the group responsible for Domain-based Message Authentication, Reporting & Conformance (DMARC) specification realized that one implementation was not going to solve the problem of email spoofing.

It was apparent that some users (like those working with mailing lists) would be negatively impacted by the changes DMARC brought. Some workarounds were quickly deployed by service providers and those mailing lists. Two long-term solutions were submitted to the IETF for consideration. One of these, the Authenticated Received Chain (ARC), had a goal to engage the technical community in helping to refine and test the proposed solution with deployers such as Google, Microsoft and Yahoo.

Specifications of the ARC protocol were published in June 2019 by the IETF.

ARC protocol provides an authenticated "chain of custody" for a message, allowing each entity that handles the message to see what entities handled it before and what the message's authentication assessment was at each step in the handling.

Using ARC, signatures from domains that participate in it can be reliably linked to that domain. Also, intermediaries that alter a message can do so with attribution. This makes it extremely useful for forwarded messages.

Before ARC, modifications performed by intermediaries in email routing, like forwarding rules or automatic signatures, could cause email authentication results to fail by the time the email reached the recipient mailbox.

MSFT has said that, as of October 2019, it has integrated ARC into its Office 365 product by enabling it on Office 365 mailboxes. They further describe its use as, "All hosted mailboxes in Office 365 will now gain the benefit of ARC with improved deliverability of messages and enhanced anti-spoofing detection."

At the beginning of the effort, MSFT has only committed to using ARC in Office 365. MSFT says in the new roadmap that "Initially ARC will only be utilized to verify authentication results within Office 365, but plan to add support for third party signers in the future."

"More and more companies have been adopting DMARC and email authentication over the past few years, with more vendors and service providers adding the necessary support to their offerings in order to make that adoption simpler," Steven Jones, executive director of DMARC.org, said in 2015.

"With new protocols like ARC emerging to address the traditional email use cases that were problematic under some DMARC policies, and the leadership of forward-thinking companies like Google, Microsoft and Yahoo, I expect to see the rate of adoption accelerate globally."

But actually getting ARC done and implemented has taken a long period of time. Other major message handlers have added their own handlers and workarounds to deal with messages. However, Gmail and AOL validate through ARC at the present time so MSFT is playing a bit of the catch-up game.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16123
PUBLISHED: 2020-12-04
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by...
CVE-2018-21270
PUBLISHED: 2020-12-03
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
CVE-2020-26248
PUBLISHED: 2020-12-03
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
CVE-2020-29529
PUBLISHED: 2020-12-03
HashiCorp go-slug before 0.5.0 does not address attempts at directory traversal involving ../ and symlinks.
CVE-2020-29534
PUBLISHED: 2020-12-03
An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd(), aka CID-0f2122045b94.