Wow.  This is pretty scary.

There’s really no way to stop someone from registering a misspelled domain name and capturing emails.  The big takeaway from this research is that if you must send sensitive information over email:

1) Proofread your recipient list.

2) Use encryption!

I’m surprised that the original paper does not mention encryption as a mitigation strategy.  The suggestions they do give are good ideas (register the domains yourself, configure DNS and mail servers to ignore these types of domains, etc.), but encrypting important things like passwords and network diagrams should be implemented as well.

If I accidentally sent an important email to bgates@microsfot.com, the person receiving the message at ‘microsfot.com’*  would get a jumbled mess if I encrypted it with bgates’ public key.

*Microsoft already owns most of these misspelled domains.


2 responses

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s