Open Bug 1670078 Opened 4 years ago Updated 4 months ago

Add Support for BIMI (Brand Indicators for Message Identification)

Categories

(Thunderbird :: Mail Window Front End, enhancement)

Product:
Thunderbird
Component:
Mail Window Front End
Type:
enhancement

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: github, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0

Steps to reproduce:

Added a DNS-Record to my domain according to the BIMI-Draft ( https://authindicators.github.io/rfc-brand-indicators-for-message-identification )

It's a TXT-Record found at default._bimi.snowman25.de

Actual results:

No Icon was displayed alongside an E-Mail coming from my Domain

Expected results:

The Icon @ https://pic.snowman25.de/icon.svg should be displayed alongside the E-Mail.

Component: Untriaged → General
Component: General → Mail Window Front End

yes please add this feature, it not only looks cool it also gives visual validation to genuine emails (which must come from domains with DMARC p=reject|quarantine)

BIMI records protect your brand reputation from spoofing brand emails. BIMI records is a new standard that can monitoring or curb a online impersonation. BIMI create on the DMARC standard for email's authentication. Before sender sending an email to user's inbox, email platform check each email againts sender's DMARC record within each email to confirm authenticated. Organization can add BIMI certificate while DMARC has been adopted. Update the domain record to include its BIMI policy.
Need to Know more about BIMI record, Read this https://migomail.com/bimi-records-to-protect-brand-reputation-in-spoofing-brand-email

Actually I was in support of this feature at the begin, but given the current state of BIMI, where only large corporation can participate by invitation (Visual Mark Certificates (VMC) are not available to the public yet), and the fact that a trademark registration and the payment of a presumabely heafty verification fee is required to be able to participate, I'm against it.

The reason I'm against it is that it widens the numerical divide, as it rules out countries with small buying power, small organizations and gives advantage to big ones, be they corporations, NGOs, or open-source projects without a spare thousand dollars to spend on trademark registration, and then hundreds yearly to keep the trademark registered.

The other reason is that it participates in the never-ending complexification of the Internet, making it harder and harder to have a self-hosted e-mail server. That gives again advantage to large corporations with the manpower to address the growing complexity. And it also further fragilizes our society by adding dependencies on basic communication tools like e-mail. Society complexifications have lead to civilization collapses in the past. So do we want to help push in that direction ?

I will happily revisit my point of view if it becomes affordable for small organizations too (i.e. the rules are relaxed and the costs go down).

These are no hard thoughts, just my own thoughts on the subject. I'm just a user and don't have any decision power on this. So no hard feelings either if it gets implemented, as security of users is a good thing as long as it doesn't complexify their lives.

That "Visual Mark Certificates (VMC) are not available to the public yet" is just plain wrong, as there are at least two CAs offering VMCs, and it's easy to find out.

Moreover, from a quick consultation of the WIPO and USPTO websites it seems to me that the costs for registering a trademark are quite affordable by a very large number of companies, even small ones. However, I am no expert in this field and therefore I may be wrong.

I would welcome an option that the user can configure to either require VMC, or to work even if no VMC exists (empty 'a='-part in the DNS-record). Lowering the bar to this entrance-level might support the adoption.

Trademarks are not too expensive (at least in UK), unfortunately VMCs are (I think start at about $800pa), but it is a duopoly. When do we get Letsencrypt VMCs? ;-)

VMCs seem like a horrible idea. The premise that a central authority should be trusted at all is just repeating mistakes. On the other hand... I set up a record for my domain and the (appropriate? svg format using https://github.com/authindicators/svg-ps-converters/); the inspector at https://bimigroup.org/bimi-generator/ (blackrosetech.com) doesn't throw any errors and FairEmail shows the expected logos. OTOH, https://www.mailkit.com/resources/bimi-inspector/blackrosetech.com barfs, so YMMV.

Perhaps simply ignoring VMC records is sufficient to permit the feature to work as expected without supporting yet another certificate mafia trying to extract rent from the internets.

If VMC rents are intrinsic to the premise, then for certain the initiative should be rejected for the reasons @Beat very well enumerates: the registration requirement is blocking; nothing should privilege corporate email over self-hosted, nor create any meaningful impediments to self-hosted email.

The fact that some email clients display BIMI logos even without VMCs does not solve the problem. Indeed, for obvious reasons it represents a security problem. If I were a phisher, I could insert the logo of a well-known bank in the BIMI record of my domain and with that I would probably be more successful in fooling users who use such email clients.

I realized I wasn't entirely clear. When I wrote I'd welcome an option for the user to either require VMC or disable that check, I meant something similar to a TLS certificate check; the logo is shown, but with a warning of some kind, indicating it is an unverified logo.

Yes, it could be a good solution if implemented wisely.
I would like that, in the presence of a BIMI record without VMC on the sender's domain, TB would show a blank logo with a clickable warning triangle; clicking the triangle would bring up a deterrent warning dialog which would trigger the logo rendering only if the user accepted the risk that this entails. Of course, if I then open a different message and then go back to the previous one, TB should remember if I previously asked to see the logo, but should "forget" everything when I exit. Of course, if the BIMI record also contains a (valid) VMC, TB would render it without asking anything to the user, but this requires more complex logic to verify the VMC (and react appropriately in case it was invalid) and could be implemented later.

I believe the use of graphic avatars is helpful - this forum's use of gravatars is a good example, even if TB currently doesn't seem to have a working avatar option. The BIMI model of having a DNS referenced domain-default avatar seems like a useful extension of the premise and it appeals to me. The premise that these domain-default avatars would be limited to wealthy organizations with $1k (ish) to drop on VMC and, in the US, at least $250 for self-service trade mark registration or another $1k (ish) for lawyers to handle the registration process - and $525 per decade for renewal fees seems contrary to a the goal of a free and open internet.

The BIMI/VMC model assumes that a malicious actor would be stymied should they attempt to register a look-alike trade mark, which is obviously a completely false assumption, especially given global coverage and that trade marks are limited to regions and industry. Convincing users that these certifications are trustworthy (to the extent that users remotely understand the premise) gives false confidence. I'm not sure people fully understand that while email is global, trademarks are not globally unique: the are both region and industry specific (per class of goods/services), e.g. "Budweiser."

https://www.iipta.com/can-trademark-word-mark-another-company-different-countries/#:~:text=You%20can%20very%20well%20Trademark,t%20have%20presence%20as%20well.

There's a conundrum created by a high registration cost which limits VMC registrations to either wealthy organizations or to scammers with healthy profit margins; it tends to marginalize both less wealthy organizations or individuals and less successful scammers--to the extent that a user understands the intent of the domain-default avatar showing at all. If BIMI wanted to be inclusive, it would be acceptable (or even required) to sign the .svg with the DKIM private key. Given limited support for BIMI now, TB might be able to make this a standard.

Indeed, as address-specific avatar icons are well established in many mail products (and were quite popular add-ons for earlier versions of TB), I'd assume users will simply see the logo presentation as an avatar icon with no particular validating meaning. And, I'd argue, avatars should supersede BIMI logos if the user has specified one in their address book (CardBook as TB currently stands). (Cardbook could default to BIMI domain default avatars if there isn't either a user-specified address-specific avatar or gravatar available). Gmail shows address specific avatars and BIMI domain-default avatars identically, but does not show unsigned BIMI like mine :-( . FairEmail does show unsigned BIMI domain-default logos :-)

As it is probably somewhat marginalizing toward any hope of making inroads into corporate email to fully reject the corporate assumptions of the sanctity of their brands and the value derived from making large payments to law firms or some certificate mafia, privileging fully paid-up VMCs seems like good corporate politics. However, de-privileging those without the resources to pay to play also has costs: further driving the internet and digital services away from being a common good and toward being a corporate monopoly, which I'd argue is suboptimal.

I find Firefox's "deterrent warning" model tolerable because it remembers all overrides. I am annoyed warnings are displayed for LAN resources at all (which has no real analog in email). I'm annoyed I can't override certificate validation checks entirely (which does have an analog for BIMI authentication). Chrome's command line switch "--ignore-certificate-errors" is very helpful for this.

I'd suggest that BIMI support offer the best of both options:

By default show a clickable indicator of verification status, something like green/red - this would also differentiate BIMI domain default avatars from address-specific avatars. Clicking the domain default should bring up some useful detail about the source of the avatar, DMARK, SPF, DKIM status, the SSL certificate information of the avatar hosting site, avatar signing certificate and public key ID, etc. - and the source and sender details of address-specific avatars.

I do not think the default should be to fail to show non VMC paid-up domain-default avatars as doing so will tend to disadvantage less-wealthy organizations. The premise should not be "only the wealthy can be trusted."

I'd suggest that "about:config" get a new option: security.bimi.validation.mode that takes the values 'off, default, strict"

If set to "off" then suppress or minimize signing indicators.
Set to "default" as above - with clearly visible signing status indicators.
If set to "strict" then perhaps as Adriano Santoni suggests, making display of unsigned avatars a hassle and only temporary.

And on this topic, a good point is made here: https://techbeacon.com/security/bimi-email-standard-security-fix-or-privacy-fail

Grabbing the icon on list view/open message has the same function as loading a remote image - it is a tracking pixel (or vector in this case). If the domain-default avatar is shown, it should be cached indefinitely to avoid sending message opened indicators and should respect the "do not load remote images" flag.

(In reply to Beat from comment #6)

Actually I was in support of this feature at the begin, but given the current state of BIMI, where only large corporation can participate by invitation >(Visual Mark Certificates (VMC) are not available to the public yet), and the fact that a trademark registration and the payment of a presumabely >heafty verification fee is required to be able to participate, I'm against it.

Which is nonsense. If you don't know what you are talking about, just keep your mouth shut:
There are only 4 things you really need: a domain, a porperly confirures MX for it, a webserver to store your logo.svg and an text record in the DNS which offers the location of your logo to the public. A cert is not needed at all - companies may buy one, if they wish - this step is just for money making, it does not increase the security of e-mail at all.
In my huble opinion Thunderbird is a free e-mail client and so it should handle BIMIs freely, too:
Look for a BIMI for every domain, if it has one, display it. If the domain also got a record to a valid certificate, just give it an additional halo around it, if you hover over it display more information.

My add-on DKIM Verifier now has some BIMI support in the newest version.

Note that it does not do any BIMI lookup itself.
It relies on what a mail server supporting BIMI writes into the Authentication-Results and BIMI-Indicator headers.

You need to log in before you can comment on or make changes to this bug.