ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] SSP security relies upon the visual domain appearance

2005-11-20 02:58:40
from [Douglas Otis] [Permanent Link] 
On Sat, 2005-11-19 at 13:31 -0800, Michael Thomas wrote:

Douglas Otis wrote:

You agree that SSP does not provide a mechanism to prevent spoofing
without reliance upon visual presentations  [...]


   Doug, this is demonstrably false and I wish that you would
   just give up on this line of argument -- if you have other good
   things to say, they are being drown out by this sort of silliness.
   Right now, on mtcc.com, I see reports from my software that shows
   the ssp violations. It does not involve my eyeballs under the
   control of a sendmail milter.


Are you suggesting character-set attacks (made possible by RFC2047,
RFC3492, raw puny-code, similar ASCII characters, or "pretty-name"
presentations) are prevented by a policy that requires matching domains?

If the recipient _studies_ the domain and knows the character-set being
used, then visual examination _may_ thwart this avenue of attack.  On
the other hand, if the recipient is not sure of the character-set being
used, is exposed to raw puny-code or "pretty-name" presentations, then
any assurance about preventing spoofing would be illusory.

Indications of domain matching only exposes the recipient to a greater
risk of being duped.  Alternatively, indicating the recognition of a set
of identifiers belonging to a prior correspondent would greatly reduce
the risks of being duped without the eye-test.

A policy comparing domains is like locking the front door of a house,
but leaving the back door open and declaring the home secure.  Why do
you think companies expend resources registering similar domains, often
after a litigation process?  Some MUAs have even elected not to show
headers.  The binding recognition strategy could highlight messages of
prior correspondents without any header being displayed and still defeat
spoofing.

As that were not enough, the acquisition of automatic bindings can still
provide the same log of messages rejected at the SMTP session in the
same manner as an SSP "o=!" domain comparison.  With the binding
recognition strategy, the SSP approach is not needed, the risks of
unfair use of authorizations is eliminated, while also substantially
reducing the overhead.

-Doug    




_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] SSP security relies upon the visual domain appearance, Michael Thomas
Next by Date:  Re: [ietf-dkim] SSP security relies upon the visual domain appearance, Douglas Otis
Previous by Thread:  Re: [ietf-dkim] SSP security relies upon the visual domain appearance, Michael Thomas
Next by Thread:  Re: [ietf-dkim] SSP security relies upon the visual domain appearance, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]