ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] draft-fenton-dkim-threats-01.txt

2005-10-28 05:21:19

Jeremy,

Edberg, Jeremy wrote:
Another related attack that I did not see mentioned in the threat
analysis is what we call the "pretty from" attack.  Most popular email
clients display the arbitrary text in the From header as the display
name, if there is one.  For example, if the from header were 'From
"aw-confirm(_at_)ebay(_dot_)com" <badguy(_at_)badguy(_dot_)com>', the client 
would show
"aw-confirm(_at_)ebay(_dot_)com" as the from address.  If the signature could be
validated against badguy.com, then the message would appear legit.  This
is a major attack vector, as most of our users don't look beyond what
their GUI client shows them.  Looking at the current DKIM standard, it
looks like this could still validate properly, since the signature would
be signed with the key from badguy.com.  I didn't see anything in the
spec about verifying that the arbitrary text matches the purported From
address.  Is this correct?  Perhaps this could be addressed as a
possible threat in the analysis?

I'd say that it is worth a mention, but I can't really see that dkim
can do much about it other than, as you say, call attention to it yet
again, which is certainly no harm.

Stephen.

_______________________________________________
ietf-dkim mailing list
http://dkim.org