The absence of any true centralised control of the Internet, and the open nature of the protocols that support it, are characteristics that have lead to its rapid adoption, but also have given rise to considerable abuse and fraud. This is acutely illustrated in use of the network to send unsolicited messages whilst masking or “spoofing” the identity of the sender. For example, protocols, such as SMTP, that allow the transmission of emails between computers on the Internet, allow messages to be sent with headers, such as in the “from” field, that do not provide an indication as to the true location from which the emails have been sent and often do not represent a valid return address. This allows parties who send unsolicited emails, most of which are commonly referred to as “Spam”, to remain fictitious and anonymous. Another significant problem is spoofing of emails so as to represent the message as coming from another party, such as a financial institution or a reputable ecommerce site, and soliciting the entry of personal information and account details. This type of spoofing scam is considerably more serious and is known as “phishing”. A number of banks, such as Citigroup, Lloyds, TSB, Barclays, the Bank of America, and the ANZ Bank of Australia, have been the subject of phishing attacks where emails have been sent which appear to have come from the banks and request customer account, debit and credit card data.
A number of developments have been introduced and proposed to address the problems posed by the unsolicited and fraudulent messages currently being sent. For example, software has been developed by a number of parties to filter Spam received by email clients. The filters may be installed on a client machine or a receiving mail server (which may be maintained by an Internet service provider (ISP) or within a local area network). Whilst the Spam filters are successful to a certain degree, and are able to eliminate a relatively high percentage of Spam, a filter is yet to be produced that is able to eliminate all unsolicited email without also filtering valid messages.
Systems have also been developed to certify an email as being authentic or valid, primarily on the basis of authenticating or verifying the sender. Most email clients, such as Microsoft Outlook Express, Microsoft Outlook 2000 and Apple's Mail.app application, support the S/MIME (Secure/Multipurpose Internet Mail Extensions) standard which provides a protocol that enables digital signatures, certificates and encryption to be added to the MIME format. This allows senders of emails to digitally sign their emails so that they can be authenticated and verified by a receiver. This facility, however, is under utilized by users of email clients, and unfortunately is also open to abuse. The emails can be signed with a digital certificate obtained from a certification authority (“CA”), such as VriSign Corporation. Whilst some CAs apply rigorous processes concerning determining the identity of parties requesting a digital certificate, others unfortunately do not. For example, a personal email digital certificate can be obtained from Thawte Technologies Inc. using a relatively simple procedure without any offline verification.
Another significant problem in sending digitally signed emails in large corporations is managing the security and safeguarding of the digital certificates. Typically, the sender of an email requires the certificate to be stored on his computer. This poses serious security issues if the computer is stolen or the certificate is improperly copied and used by another email sender. Furthermore, in many situations such as centralised call centres, many computer operators may send emails with the same email address, eg support@company.com. For all these emails to be digitally signed, each computer requires a copy of the digital certificate, thereby increasing the risk of certificate theft or loss.
Furthermore, the manner in which the current email clients indicate that an email has been digitally signed is by the display of a seal logo that most users either neglect, ignore or are unaware of what it represents. The seal logo needs to be clicked on by the recipient of an email to display information on the owner of the digital signature that sent the email and any certificate used when signing the email.
A number of solutions have been proposed to address phishing, such as those proposed by the Anti-Phishing Working Group. These include providing web site authentication using physical tokens (such as a smart card), using client software to verify the authenticity of web sites, and digitally signing all emails using S/MIME, as discussed above. For the latter approach, the digitally signed emails will be either verified by the client or a gateway using the standard processes for the S/MIME standard. All of these approaches suffer the difficulties discussed above, are impractical to implement or do not provide a solution for recipients of emails to determine whether they can trust the origin or the content of an email they receive as being authentic or indeed having really been sent by the sender identified. Accordingly, it is desired to address this or at least provide a useful alternative.