ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] draft-fenton-dkim-threats-01.txt

2005-10-27 16:17:30
from [Douglas Otis] [Permanent Link] 

On Oct 27, 2005, at 3:45 PM, Edberg, Jeremy wrote:



Another related attack that I did not see mentioned in the threat
analysis is what we call the "pretty from" attack.  Most popular email
clients display the arbitrary text in the From header as the display
name, if there is one.  For example, if the from header were 'From
"aw-confirm(_at_)ebay(_dot_)com" <badguy(_at_)badguy(_dot_)com>', the client 
would show
"aw-confirm(_at_)ebay(_dot_)com" as the from address.  If the signature could be
validated against badguy.com, then the message would appear legit. This 
is a major attack vector, as most of our users don't look beyond what
their GUI client shows them.  Looking at the current DKIM standard, it
looks like this could still validate properly, since the signature would 
be signed with the key from badguy.com.  I didn't see anything in the
spec about verifying that the arbitrary text matches the purported From 
address.  Is this correct?  Perhaps this could be addressed as a
possible threat in the analysis?

Other than those two issues, as I said earlier, the analysis is very
complete, and I wanted to thank Jim for putting it together.


Jeremy,
You will find this "pretty-name" aspect reviewed in the threat review I also published as an unofficial update to that of Jim's. Of course starting with MUAs that display the "pretty-name" makes much of the effort aimed at restricting the From header to be of limited merit. 

See:
11.3 Opportunistic Protection without Domain-wide Policy Assertions
http://www.sonic.net/~dougotis/id/draft-otis-dkim-threats-01.html
Protections afforded by SSP for an email-address also comes at the cost of not being able to utilize unsigned or third-party signed messages from mailing-lists, e-invites, greeting-cards, news- articles, etc. Mike referred to the 80% rule, I wonder was this with respect to those email-address domains that don't make use of these services? Are these modes of communication forfeit? I can't help but notice that you used your ebay.com domain to post this message. : ) 

-Doug




_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] draft-fenton-dkim-threats-01.txt, Edberg, Jeremy
Next by Date:  Re: [ietf-dkim] Re: Should DKIM drop SSP?, Dave Crocker
Previous by Thread:  Re: [ietf-dkim] draft-fenton-dkim-threats-01.txt, Edberg, Jeremy
Next by Thread:  Re: [ietf-dkim] draft-fenton-dkim-threats-01.txt, Stephen Farrell
Indexes:  [Date] [Thread] [Top] [All Lists]