Micro Focus is now part of OpenText. Learn more >

You are here

You are here

BIMI email standard: Security fix or privacy fail?

Richi Jennings Your humble blogwatcher, dba RJA

Google’s Gmail is joining in with the Brand Indicators for Message Identification effort. BIMI lets an email client display a brand’s logo in a message, if it passes authentication checks.

The key, of course, is in DMARC. But also in the trusted certification authorities that will vouch that the logo represents the email-sending entity.

But wait a minute; isn’t there an unspoken privacy fly in the anti-phishing soup? And do we really want a load of corporations’ logos thrust in our faces? In this week’s Security Blogwatch, we are the product.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: learning from pandemic history (or not).

GOOG: benevolent cloud provider or evil marketer?

What’s the craic? Paul Sawers reports—Google launches BIMI pilot to bring verified brand logos to Gmail:

A new email specification … enables verified brands to display their logos in the Gmail avatar slot — regardless of who the sender’s email client or service provider is. … BIMI is an emerging specification that allows companies to deploy their brand logo consistently across email clients.

BIMI will only work with brands that have adopted the email authentication protocol DMARC. … The logo itself has to be validated by a third party. [It’s] designed to bring some peace of mind to email recipients, who can instantly see that the sender is who they claim to be.

BIMI is a broad industry effort, with a working group consisting of Twilio’s SendGrid, LinkedIn, Validity, Fastmail, Valimail, Verizon Media, and — as of last June — Google. As Gmail is one of the most widely used email clients in the world, its inclusion represents a landmark for the BIMI specification.

Speaking metaphorically, Chris Burns cracks a simile—Like blue checks for email:

Google’s intention is to put BIMI logos into play by the end of 2020 – or in the “coming months.” … This system would bring a “brand logo” [in] the standard avatar space.

If you’re using Gmail on the web, you’ll see this icon in the upper left-hand corner of an email from an official source. … If you’re using Gmail as an app, for … iOS or Android, you’ll see a logo like this in your inbox.

For the average email user, this system will be a by-default sort of situation. If it works as it should, you’ll simply be more secure and safe. … With DMARC and BIMI, the age of phishing with forged email addresses will – hopefully – be over.

So it’s all about safety? Google’s Karthik Lakshminarayanan and Neil Kumaran are on message—Safety first:

With so many people working remotely, it's more important than ever that the tools we use to stay in touch and productive are safe and secure. That’s why today we’re announcing … even stronger security in Gmail.

Email functions in a large, complex, interconnected ecosystem. This is why we’re working not just to keep Gmail safe, but to help keep the entire ecosystem secure.

Our BIMI pilot will enable organizations, who authenticate their emails using DMARC, to validate ownership of their corporate logos and securely transmit them to Google. … We’ll be starting the BIMI pilot in the coming weeks with a limited number of senders, and with two Certification Authorities to validate logo ownership.

By requiring strong authentication, users and email security systems can have increased confidence in the source of emails, and senders will be able to leverage their brand trust.

Where did this spec come from? The AuthIndicators Working Group wrote this “camel” of a blog post by committee:

BIMI provides a standardized method for publishing a logo in DNS for use alongside received emails, and it gives domain owners the ability to suggest a specific image be displayed. … Gmail’s primary motivation in piloting BIMI is to strengthen the email ecosystem by increasing the adoption of strong authentication through DMARC. This aligns with [our] mission.

BIMI incentivizes email senders to strengthen their security posture by protecting their domains against spoofing, decreasing the likelihood of phishing and increasing the trustworthiness and security of email for all users. That incentive is logo display, which enriches the inbox and increases consumer engagement. The ultimate goal of BIMI is to extend adoption of DMARC … on a global scale.

We encourage organizations to start the journey [by] getting DMARC enabled today.

But is that really the whole story? After all, Google is an advertising company first and foremost. And some of the other group members aren’t exactly holier than thou. Your humble blogwatcher is as cynical as ever:

Get lost. How about, "No"?

BIMI’s real goal is to track people. No thank you, I block remote-load images because I value my privacy.

Gmail/Gsuite had better make this optional, or I’ll be looking elsewhere for my email client needs.

And Aqualung812 is hopeful that Gmail will honor the existing image-loading setting:

The entire point is to give the user an indication of the validity of the sender before opening. … I don't disagree that it may be useful for tracking deliveries, and therefore have some negative privacy implications, but it shouldn't behave any differently on opening than any other images are handled by your email client.

Ah, bless. Thinking more like an evil marketer, Bob Rudis cannae change the laws of physics—BIMI Up, Scotty:

It seems that … MX, DKIM, SPF, and DMARC … were just not enough acronyms (and setup tasks) for some folks, resulting in the creation of yet another. … BIMI isn’t solving any problem that well-armored DMARC configurations aren’t already solving.

It appears to be driven mainly by brand marketing wonks who just want to shove brand logos in front of you and have one more way to track you. … Yep, tracking email perusals (even if it’s just a list view) will be one of the benefits (to brands and marketing firms) and is most assuredly a non-stated primary goal of this standard.

They could easily customize that to be a unique identifier … and know when you’ve at least looked at said email in a list view (provided that’s how your email client will show it) if not in the email proper. … So this is likely just one more way the IETF RFC system is being abused by large corporations to continue to erode our privacy. … Since many brands use third party services for all things email, those clearinghouses are set to get some great data on you … turning you into the product for other brands.

But—oh yeahquaffing the delicious Kool-Aid, it’s ssiemonsma:

You don't seem to be aware of what this is combating. … The verified logos would provide assurances to a customer that the email is from who they say it is. … So this is a nice security feature for sure.

Wait, who moved totetsu’s cheese?

I hope those of us who don't like looking at logos have the option to turn it off. Unlike the Chrome unwelcome omnibox popups for FedEx and the like.

Meanwhile, Smeagol strangles his cousin: [You’re fired—Ed.]

I think Google should highlight the unsubscribe link rather than the brand logo on emails.

The moral of the story?

One to watch, but beware potential privacy problems. (And if you’ve not yet implemented DMARC, get on with it already!)

And finally

“Humans are not very good at learning from history.”

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s heroic pic via gabrielle_cc (via Pixabay)

Keep learning

Read more articles about: SecurityData Security