Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Authentication

10/29/2019
01:43 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

MSFT Floats an ARC

As far back as 2015, the group responsible for Domain-based Message Authentication, Reporting & Conformance specification realized that one implementation was not going to solve the problem of email spoofing.

As far back as 2015, the group responsible for Domain-based Message Authentication, Reporting & Conformance (DMARC) specification realized that one implementation was not going to solve the problem of email spoofing.

It was apparent that some users (like those working with mailing lists) would be negatively impacted by the changes DMARC brought. Some workarounds were quickly deployed by service providers and those mailing lists. Two long-term solutions were submitted to the IETF for consideration. One of these, the Authenticated Received Chain (ARC), had a goal to engage the technical community in helping to refine and test the proposed solution with deployers such as Google, Microsoft and Yahoo.

Specifications of the ARC protocol were published in June 2019 by the IETF.

ARC protocol provides an authenticated "chain of custody" for a message, allowing each entity that handles the message to see what entities handled it before and what the message's authentication assessment was at each step in the handling.

Using ARC, signatures from domains that participate in it can be reliably linked to that domain. Also, intermediaries that alter a message can do so with attribution. This makes it extremely useful for forwarded messages.

Before ARC, modifications performed by intermediaries in email routing, like forwarding rules or automatic signatures, could cause email authentication results to fail by the time the email reached the recipient mailbox.

MSFT has said that, as of October 2019, it has integrated ARC into its Office 365 product by enabling it on Office 365 mailboxes. They further describe its use as, "All hosted mailboxes in Office 365 will now gain the benefit of ARC with improved deliverability of messages and enhanced anti-spoofing detection."

At the beginning of the effort, MSFT has only committed to using ARC in Office 365. MSFT says in the new roadmap that "Initially ARC will only be utilized to verify authentication results within Office 365, but plan to add support for third party signers in the future."

"More and more companies have been adopting DMARC and email authentication over the past few years, with more vendors and service providers adding the necessary support to their offerings in order to make that adoption simpler," Steven Jones, executive director of DMARC.org, said in 2015.

"With new protocols like ARC emerging to address the traditional email use cases that were problematic under some DMARC policies, and the leadership of forward-thinking companies like Google, Microsoft and Yahoo, I expect to see the rate of adoption accelerate globally."

But actually getting ARC done and implemented has taken a long period of time. Other major message handlers have added their own handlers and workarounds to deal with messages. However, Gmail and AOL validate through ARC at the present time so MSFT is playing a bit of the catch-up game.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...