On Oct 27, 2005, at 3:45 PM, Edberg, Jeremy wrote:
Another related attack that I did not see mentioned in the threat
analysis is what we call the "pretty from" attack. Most popular email
clients display the arbitrary text in the From header as the display
name, if there is one. For example, if the from header were 'From
"aw-confirm(_at_)ebay(_dot_)com" <badguy(_at_)badguy(_dot_)com>', the client
would show
"aw-confirm(_at_)ebay(_dot_)com" as the from address. If the signature could be
validated against badguy.com, then the message would appear legit.
This
is a major attack vector, as most of our users don't look beyond what
their GUI client shows them. Looking at the current DKIM standard, it
looks like this could still validate properly, since the signature
would
be signed with the key from badguy.com. I didn't see anything in the
spec about verifying that the arbitrary text matches the purported
From
address. Is this correct? Perhaps this could be addressed as a
possible threat in the analysis?
Other than those two issues, as I said earlier, the analysis is very
complete, and I wanted to thank Jim for putting it together.
Jeremy,
You will find this "pretty-name" aspect reviewed in the threat review
I also published as an unofficial update to that of Jim's. Of course
starting with MUAs that display the "pretty-name" makes much of the
effort aimed at restricting the From header to be of limited merit.
See:
11.3 Opportunistic Protection without Domain-wide Policy Assertions
http://www.sonic.net/~dougotis/id/draft-otis-dkim-threats-01.html
Protections afforded by SSP for an email-address also comes at the
cost of not being able to utilize unsigned or third-party signed
messages from mailing-lists, e-invites, greeting-cards, news-
articles, etc. Mike referred to the 80% rule, I wonder was this with
respect to those email-address domains that don't make use of these
services? Are these modes of communication forfeit? I can't help
but notice that you used your ebay.com domain to post this message. : )
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org