ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] ebay / eboy

2005-10-31 15:28:57
from [Dave Crocker] [Permanent Link] 


dberg, Jeremy wrote:

Another major attack vector we have seen is the one in 5.2, the use of
similar looking domains.  We call this the "eboy" problem.  We would
like to stress how much of a problem this is in the hopes that it can be
further highlighted and discussed.  I know that in previous discussions
it was decided this problem would be difficult to solve, but it would be
good to highlight it, as perhaps with the right people looking at it, a
possible solution or mitigation could be found.


As important as this problem is, it probably will not help the immediate
DKIM effort much, to discuss it now.

DKIM authenticates a particular domain identity, and associated content,
without offering an opinion about the wonderfulness of that identity.  And
even then it only pertains to one occurrence of the identity (or, maybe, to
associated identities in the headers.)

Use of DKIM, with an assessment service (black or white list or the like)
will help with a class of eboy problems, but it won't deal with any of the
"embedded" games played in the content.

Or have I missed something here?



Another related attack that I did not see mentioned in the threat
analysis is what we call the "pretty from" attack.  Most popular email
clients display the arbitrary text in the From header as the display
name, if there is one.  For example, if the from header were 'From
"aw-confirm(_at_)ebay(_dot_)com" <badguy(_at_)badguy(_dot_)com>', the client 
would show
"aw-confirm(_at_)ebay(_dot_)com" as the from address.  If the signature could be
validated against badguy.com, then the message would appear legit.  This


DKIM does not specify end-user display behaviors.



I didn't see anything in the
spec about verifying that the arbitrary text matches the purported From
address.  Is this correct?  Perhaps this could be addressed as a
possible threat in the analysis? 

SSP deals with matching the From to the DKIM identity.  Did you have any
other matching in mind?


d/

--

Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>

_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Re: is this a problem or not?, Douglas Otis
Previous by Thread:  Re: [ietf-dkim] draft-fenton-dkim-threats-01.txt, Earl Hood
Next by Thread:  [ietf-dkim] SSP and Sender header field, william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]