Online Signature Services Are Broken

These services fail because they violate a central tenet of user
authentication: document and capture the credentials used to
establish identity.

Here, you can see me use one of these services to sign a document
that the recipient hopes is going to be legally binding.

That is not my signature. That’s not my handwriting. And it could
easily have been someone else doing the typing.

Authentication is the act of establishing a link between a claim to an
identity and the credentials presented to eastablish that link.
These services fail to document the basis credential.

The simple fact is that these services are performing authentication
via an email address. The preparer of the documents makes a claim
that "the person you know as EGS has email address el33th4x0r at gmail.com and will be issuing statements we would like to make legally binding."

The service emails a link to their service to that address.
Access to that link permits anyone to be able to sign as the user EGS.
And yet, the service hides the email address they authenticated, and reports the provided name instead, without establishing the veracity of the binding between the name and the email address. So, this service will happily
pretend that the documents were signed by "EGS", when in reality, the
credential it checked was the email address el33th4x0r. Who the heck is
el33th4x0r? How does the recipient know that that’s the genuine address I use?
How would they know if it instead came from el33th4xor?

Some services allow me to upload a picture of my own signature, and provide
that instead of the handwriting font supplied by the system. This confers
no actual security. Old school signatures, in writing, are symmetric, the
provider and validator are in possession of the same credentials, in
contrast to public key cryptography, where the situation is asymmetric,
and the validator can never forge a signature. So anyone who ever processed
a check from me or read a letter I wrote is fully capable of producing
my exact signature, through the exact same process of scanning that I
would use to generate it. It’s just security theater to fool gullible
people.

Online signature services are broken even for the simple case where
one party knows the binding between a name and its corresponding
email address, for the number of failure points involved in email
routing are immense.
The sender is trusting BGP, DNS, SMTP+TLS, email forwarding, and the
email delivery agents, as well as the confidentiality of the email message
at rest on email providers.

That’s easily in excess of many tens of millions lines of code. There are
uncountably many critical vulnerabilites in this code base, as
evidenced by the number of times your software auto-updates itself
with security patches. Undoubtedly, there are operational measures
to protect some particularly centralized systems; for instance, the
GMail team guards its data at rest
carefully following the incident when Chinese agents infiltrated the
service and prosecuted some dissidents, but certainly, most
institutions come nowhere near this level of diligence. Your
email can be intercepted and your "signature" easily forged.

And the situation gets much worse when multiple parties are involved, especially
when party A is entrusted to provide the binding between party B’s name
and corresponding email address.

Take the case of graduate school admissions. A number of companies have
cropped up that automate the task of collating and forwarding graduate
school applications and recommendation letters. Every single one I have
seen, without fail, is broken, nothing more than smoke, mirrors, and a
few fancy fonts designed to fool unsuspecting people. They all commit
the basic error described above by authenticating the email but displaying
the name. As a result, they admit massive fraud.

[Incidentally, these services also
fail to actually automate the process and generally pose a centralized
point of failure. Hackers, and secret services, can easily gain access to
90+% of all the recommendation letters written in a given year, and keep
these forever. Overall, higher education should not outsource its core functions. But that’s a separate rant.]

I went to school with this fellow who wrote recommendation letters for himself, while he was in jail, and got into Princeton.

The attack is simple: you apply for graduate studies, and you claim that
your letter writers are the biggest names you can find. Let’s pick some
current and future Turing award winners, say, Lampson, Clark,
Stonebreaker, and Sirer. The system then leaves it up to the applicant to establish the name-email bindings. So you can provide email addresses that you
control, and write the juiciest recommendation letters known to humankind from
the biggest luminaries in the field.
As long as you don’t go overboard in the letters, there is nothing in the system that
will allow anyone to catch on, because the online signature service
never displays the actual email addresses to the people who consume
the signed documents. Our admissions committee will never catch on that
the letter from the acclaimed Butler Lampson actually came from an email
address under the control of the attacker.

At the moment, all graduate admissions are essentially done by the honor code.
All vetting happens not through the online signature services, whose job
is to help with this vetting, but despite them, via extraneous, social
methods. In essence, if it weren’t for researchers occasionally talking
to each other, the entire authentication system would fall apart.

This is no way to build a modern authentication system. And the fact that
we have these poor services convincing people, through their hokey fonts,
that they are doing an adequate job is keeping others from entering the
same space and doing a better job.

Given that most online signature services essentially run for free,
it’s worth thinking about their economics.

A company that handles
documents worth millions or even billions of dollars should charge you
something. A failure of their systems, a data loss event on their side,
might well render them liable. They need to hire competent staff and
run a substantial operation.

Now, one could argue that they need not charge you in proportion to the
value they handle, that this is a commoditized business, that there is a
lot of competition. But still, because the legal downside is non-zero,
there must necessarily be some offsetting charges. Yet I see very little
of that.

Leaving aside the value of the documents, there is the value to be gained
from knowing what’s inside the documents. How much would the US government
pay to know all of the business relationships between the actors in Russia?
That’s exactly how much they would invest in startups that provide free
online signing services. The same is true for every other secret service,
with foreign agencies sponsoring these companies in target countries. The
entire situation is very similar to VPN services: the entire sector seems
to be a set of giant honeypots.

And of course, you can bet that every single secret service is working to
get access to the data repositories of competing services. It’s a grim world.

Luckily, there is room for optimism despite the sad state of user
authentication on the Internet.

In the US, the legal system permits the use of electronic signatures
based on cryptography. So we can actually implement strong signatures
based on asymmetric, public key cryptography. We can sign documents
without ever worrying about the recipient turning around and forging
other documents with our signature.

The rise of cryptocurrencies has forced us to build key management
infrastructure. Hardware wallets, whose sole function is to carry keys
securely and issue signatures, are maturing, albeit slowly.

Building a public key infrastructure is never going to be easy, but
at least the right ingredients are falling into place.

Document management is no cheap task, and I don’t mean to
underestimate how much effort companies otherwise may end up spending
to manage their signed documents. But if the alternative is to entrust
the entire kit and kaboodle to be managed by an unknown third party
that is known to do a poor job at their central task of authentication,
and where the data resides on disk, at rest, unencrypted, then it is no
alternative at all. I’m optimistic that turnkey, self-hosted solutions
can be developed here that do not rely on storing everything at a central
point of vulnerability.

So, I expect that the situation will improve over the next decade, because
there is no reason for it not to, other than complacency and lack of awareness
of just how terrible the existing services are.

In the meantime, you should do three things:

1. Demand that online
signature services display the actual credential they checked.
For without this, the validator has no
way of evaluating the central authentication claim.

If they checked just an email address, they should display just that
email address. Displaying anything else as the authenticated user name
is dangerously misleading.

This transparency should pave the way for new companies that authenticate
users via multiple methods, and permit the consumer of the information
to make informed choices.

2. Refuse to incorporate insecure services into your workflow at your
institution.

3. If you are at an educational institution, you have a higher burden
on your shoulders. Refuse to outsource central tasks of a university
to third parties. Such parties constitute central points of failure,
where their failure can result in the betrayal of the core mission of
a university, to protect the students’ future careers.

I have written previously about the dangerous trend in higher education
towards outsourcing critical information to third parties here