On October 27, 2005 at 16:45, "Edberg, Jeremy" wrote:
Another related attack that I did not see mentioned in the threat
analysis is what we call the "pretty from" attack. Most popular email
clients display the arbitrary text in the From header as the display
name, if there is one. For example, if the from header were 'From
"aw-confirm(_at_)ebay(_dot_)com" <badguy(_at_)badguy(_dot_)com>', the client
would show
"aw-confirm(_at_)ebay(_dot_)com" as the from address. If the signature could
be
validated against badguy.com, then the message would appear legit. This
is a major attack vector, as most of our users don't look beyond what
their GUI client shows them. Looking at the current DKIM standard, it
looks like this could still validate properly, since the signature would
be signed with the key from badguy.com. I didn't see anything in the
spec about verifying that the arbitrary text matches the purported From
address. Is this correct? Perhaps this could be addressed as a
possible threat in the analysis?
This problems appears to be best addressed with MUAs. MUA developers
must become more security-aware, especially when it comes to
rendering a message. The problem you raise is due to MUAs relying
on a non-standard mechanism for extracting the human name of an
originating address.
With no standardization on how human names are represented in message
headers, I think it is virtually impossible to develop a standard
that addresses the problem you raise. It may be possible for heuristics
to be employed by MTA filters to try to detect such cases, but this
has its own set of problems.
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org