|
Re: [ietf-dkim] DKIM Threat Analysis v0.06
2005-08-19 13:31:10
Arvel Hathcock wrote:
Here's what I think.
1. Who are the bad actors that DKIM is trying to thwart? Put another
way, if DKIM is deployed, what bad actors will have to find a different
way to perform their bad acts.
The bad actors are anyone who would use a domain name in an identity
header of an email message without authorization from the domain
owner. The same will have to discover a new means of doing so.
There are different classes of bad actors: some only want to cover
their tracks and will send mail using arbitrary addresses, others want
to use specific domains (either spoofing established domains or using
lookalikes), and yet others will want to exploit existing social
relationships (gleaned from address books) in order to try to get
through whitelists.
Also, what resources do these bad actors have at their disposal?
I assume "resources" refers to the set of conditions the bad actor
finds which enables him to achieve his goal. These are primarily (a)
the wide-open unauthenticated nature of SMTP which lets anybody claim
they are anybody else (b) the wide-open unauthenticated nature of
RFC-2822 which has no inherent mechanism for restricting the use of
identity headers to the domain owner (c) the relative lack of use (for
whatever reason) of stronger security measures such as S/MIME and PGP
and (d) the ubiquitous habit of and conditioning imposed through the
display of the RFC-2822.From identity header to email consumers in
preference to any other identity.
I think by "resources" what he means is what capabilities does the
attacker have. Can the attacker mount a man-in-the-middle attack? Can
the attacker corrupt the key storage? Can the attacker pretend to be
coming from a different IP address (if that's even relevant)? Does the
attacker have access to signed messages which might be modified ? Can
the attacker cause some arbitrary message to be signed which they might
be able to exploit?
There is probably not a single answer to many of these questions,
because there is more than one class of attacker here. So we need to
describe which of these we intend to address and which we don't. An
attacker that can trick a registrar into changing the DNS entries for a
domain to their rogue DNS servers is one we don't intend to address, for
example.
2. Where are these bad actors in the protocol environment? Where in
the email system do they pop up to perform the acts that DKIM is trying
to prevent. Again, different bad actors may appear at different places.
Some of the "places" that he refers to might be whether the bad actors
are within the originating domain, the recipient's domain, whether they
might pose as (or attack) mailing lists, or whether they're out in
interdomain space.
3. What are the bad acts that DKIM is trying to thwart? The first two
questions are really background for this question.
These are so related it's hard for me to separate. Unauthorized
domain use is a means to several ends. The 'end' will determine
where, in the email delivery chain, the bad actor "pops up". When the
goal is to trash the reputation of a domain owner in the eyes of an
email user or ply some scam part of which requires the unauthorized
use of a domain to lend it credibility, the "pop up" is the MUA of an
email user and the effect takes place in the mind of that user. When
the goal is to thwart filtering agents or attempt to manipulate a
receiving domain's incoming email policy in some way the "pop up" is
at the point wherein those processes are invoked and the effect is in
reducing or rendering useless the effectiveness of those processes.
Sure; we need to distill down the list of bad acts as much as possible
in order to make the discussion as clear and unambiguous as possible.
The trashing of domain reputations and such is a second-order effect.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org
|
|