Online Signature Services Are Broken

In the last few years, we have seen a proliferation of services that allow people to sign legal documents online. Essentially, they send out a link to you via email, you click on the document, write your name, they render it in a fancy font to make it look like a real signature, you click and you're supposed to be legally bound. Variants of this service collect and forward other important documents, such as recommendation letters.

All such services are bunk. They fail at their central task, of ensuring that the person doing the signing is who they claim to be. They also fail at their secondary task, of properly documenting the basis for trust, such that, if that trust were to be broken due to fraud, the perpetrators can be prosecuted effectively.

I want to clarify what is wrong with these services because it makes an interesting case study in computer security. By the end of the article, you should be able to forge documents and get into any top CS department of your choice, including our highly ranked program at Cornell, regardless of your background, accomplishments, and previous preparation.

Central Tenets

These services fail because they violate a central tenet of user authentication: document and capture the credentials used to establish identity.

Here, you can see me use one of these services to sign a document that the recipient hopes is going to be legally binding.

Not a signature.

That is not my signature. That's not my handwriting. And it could easily have been someone else doing the typing.

Authentication is the act of establishing a link between a claim to an identity and the credentials presented to eastablish that link. These services fail to document the basis credential.

The simple fact is that these services are performing authentication via an email address. The preparer of the documents makes a claim that "the person you know as EGS has email address el33th4x0r at gmail.com and will be issuing statements we would like to make legally binding."

The service emails a link to their service to that address. Access to that link permits anyone to be able to sign as the user EGS. And yet, the service hides the email address they authenticated, and reports the provided name instead, without establishing the veracity of the binding between the name and the email address. So, this service will happily pretend that the documents were signed by "EGS", when in reality, the credential it checked was the email address el33th4x0r. Who the heck is el33th4x0r? How does the recipient know that that's the genuine address I use? How would they know if it instead came from el33th4xor?

Some services allow me to upload a picture of my own signature, and provide that instead of the handwriting font supplied by the system. This confers no actual security. Old school signatures, in writing, are symmetric, the provider and validator are in possession of the same credentials, in contrast to public key cryptography, where the situation is asymmetric, and the validator can never forge a signature. So anyone who ever processed a check from me or read a letter I wrote is fully capable of producing my exact signature, through the exact same process of scanning that I would use to generate it. It's just security theater to fool gullible people.

Attacks

Online signature services are broken even for the simple case where one party knows the binding between a name and its corresponding email address, for the number of failure points involved in email routing are immense. The sender is trusting BGP, DNS, SMTP+TLS, email forwarding, and the email delivery agents, as well as the confidentiality of the email message at rest on email providers.

That's easily in excess of many tens of millions lines of code. There are uncountably many critical vulnerabilites in this code base, as evidenced by the number of times your software auto-updates itself with security patches. Undoubtedly, there are operational measures to protect some particularly centralized systems; for instance, the GMail team guards its data at rest carefully following the incident when Chinese agents infiltrated the service and prosecuted some dissidents, but certainly, most institutions come nowhere near this level of diligence. Your email can be intercepted and your "signature" easily forged.

How To Get Into Any Graduate School

And the situation gets much worse when multiple parties are involved, especially when party A is entrusted to provide the binding between party B's name and corresponding email address.

Take the case of graduate school admissions. A number of companies have cropped up that automate the task of collating and forwarding graduate school applications and recommendation letters. Every single one I have seen, without fail, is broken, nothing more than smoke, mirrors, and a few fancy fonts designed to fool unsuspecting people. They all commit the basic error described above by authenticating the email but displaying the name. As a result, they admit massive fraud.

[Incidentally, these services also fail to actually automate the process and generally pose a centralized point of failure. Hackers, and secret services, can easily gain access to 90+% of all the recommendation letters written in a given year, and keep these forever. Overall, higher education should not outsource its core functions. But that's a separate rant.]

Fraud isn't limited to CSW.

I went to school with this fellow who wrote recommendation letters for himself, while he was in jail, and got into Princeton.

The attack is simple: you apply for graduate studies, and you claim that your letter writers are the biggest names you can find. Let's pick some current and future Turing award winners, say, Lampson, Clark, Stonebreaker, and Sirer. The system then leaves it up to the applicant to establish the name-email bindings. So you can provide email addresses that you control, and write the juiciest recommendation letters known to humankind from the biggest luminaries in the field. As long as you don't go overboard in the letters, there is nothing in the system that will allow anyone to catch on, because the online signature service never displays the actual email addresses to the people who consume the signed documents. Our admissions committee will never catch on that the letter from the acclaimed Butler Lampson actually came from an email address under the control of the attacker.

At the moment, all graduate admissions are essentially done by the honor code. All vetting happens not through the online signature services, whose job is to help with this vetting, but despite them, via extraneous, social methods. In essence, if it weren't for researchers occasionally talking to each other, the entire authentication system would fall apart.

This is no way to build a modern authentication system. And the fact that we have these poor services convincing people, through their hokey fonts, that they are doing an adequate job is keeping others from entering the same space and doing a better job.

Cause for Concern

Given that most online signature services essentially run for free, it's worth thinking about their economics.

A company that handles documents worth millions or even billions of dollars should charge you something. A failure of their systems, a data loss event on their side, might well render them liable. They need to hire competent staff and run a substantial operation.

Now, one could argue that they need not charge you in proportion to the value they handle, that this is a commoditized business, that there is a lot of competition. But still, because the legal downside is non-zero, there must necessarily be some offsetting charges. Yet I see very little of that.

Leaving aside the value of the documents, there is the value to be gained from knowing what's inside the documents. How much would the US government pay to know all of the business relationships between the actors in Russia? That's exactly how much they would invest in startups that provide free online signing services. The same is true for every other secret service, with foreign agencies sponsoring these companies in target countries. The entire situation is very similar to VPN services: the entire sector seems to be a set of giant honeypots.

And of course, you can bet that every single secret service is working to get access to the data repositories of competing services. It's a grim world.

Future Outlook

Luckily, there is room for optimism despite the sad state of user authentication on the Internet.

In the US, the legal system permits the use of electronic signatures based on cryptography. So we can actually implement strong signatures based on asymmetric, public key cryptography. We can sign documents without ever worrying about the recipient turning around and forging other documents with our signature.

The rise of cryptocurrencies has forced us to build key management infrastructure. Hardware wallets, whose sole function is to carry keys securely and issue signatures, are maturing, albeit slowly.

Building a public key infrastructure is never going to be easy, but at least the right ingredients are falling into place.

Document management is no cheap task, and I don't mean to underestimate how much effort companies otherwise may end up spending to manage their signed documents. But if the alternative is to entrust the entire kit and kaboodle to be managed by an unknown third party that is known to do a poor job at their central task of authentication, and where the data resides on disk, at rest, unencrypted, then it is no alternative at all. I'm optimistic that turnkey, self-hosted solutions can be developed here that do not rely on storing everything at a central point of vulnerability.

So, I expect that the situation will improve over the next decade, because there is no reason for it not to, other than complacency and lack of awareness of just how terrible the existing services are.

In the meantime, you should do three things:

1. Demand that online signature services display the actual credential they checked. For without this, the validator has no way of evaluating the central authentication claim.

If they checked just an email address, they should display just that email address. Displaying anything else as the authenticated user name is dangerously misleading.

This transparency should pave the way for new companies that authenticate users via multiple methods, and permit the consumer of the information to make informed choices.

2. Refuse to incorporate insecure services into your workflow at your institution.

3. If you are at an educational institution, you have a higher burden on your shoulders. Refuse to outsource central tasks of a university to third parties. Such parties constitute central points of failure, where their failure can result in the betrayal of the core mission of a university, to protect the students' future careers.


Share on Linkedin
Share on Reddit
comments powered by Disqus