ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] draft-fenton-dkim-threats-01.txt

2005-10-27 15:49:16
from [Edberg, Jeremy] [Permanent Link] 
Hi all.

First, I'd like to say that this analysis covers most of the attacks we
(eBay Inc.) have seen, and some that we haven't even seen yet.  By far
the most common attack we have seen is the one in section 5.2.2, where
the bad actors pretend to be one of our administrative addresses.  We
feel that DKIM addresses this problem well.

Another major attack vector we have seen is the one in 5.2, the use of
similar looking domains.  We call this the "eboy" problem.  We would
like to stress how much of a problem this is in the hopes that it can be
further highlighted and discussed.  I know that in previous discussions
it was decided this problem would be difficult to solve, but it would be
good to highlight it, as perhaps with the right people looking at it, a
possible solution or mitigation could be found.

Another related attack that I did not see mentioned in the threat
analysis is what we call the "pretty from" attack.  Most popular email
clients display the arbitrary text in the From header as the display
name, if there is one.  For example, if the from header were 'From
"aw-confirm(_at_)ebay(_dot_)com" <badguy(_at_)badguy(_dot_)com>', the client 
would show
"aw-confirm(_at_)ebay(_dot_)com" as the from address.  If the signature could be
validated against badguy.com, then the message would appear legit.  This
is a major attack vector, as most of our users don't look beyond what
their GUI client shows them.  Looking at the current DKIM standard, it
looks like this could still validate properly, since the signature would
be signed with the key from badguy.com.  I didn't see anything in the
spec about verifying that the arbitrary text matches the purported From
address.  Is this correct?  Perhaps this could be addressed as a
possible threat in the analysis? 

Other than those two issues, as I said earlier, the analysis is very
complete, and I wanted to thank Jim for putting it together.

Thanks everyone.

Jeremy

---
Jeremy Edberg
Security Engineer
eBay, Inc./PayPal Inc.
jedberg(_at_)ebay(_dot_)com
   

_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Should DKIM drop SSP?, Douglas Otis
Next by Date:  Re: [ietf-dkim] draft-fenton-dkim-threats-01.txt, Douglas Otis
Previous by Thread:  [ietf-dkim] draft-fenton-dkim-threats-01.txt, Jim Fenton
Next by Thread:  Re: [ietf-dkim] draft-fenton-dkim-threats-01.txt, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]