ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] SSP = FAILURE DETECTION

2006-09-12 10:06:14
from [Hector Santos] [Permanent Link] 

----- Original Message -----
From: "Wietse Venema" <wietse(_at_)porcupine(_dot_)org>
To: <ietf-dkim(_at_)mipassoc(_dot_)org>
Sent: Tuesday, September 12, 2006 12:22 PM
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION



What was the advantage of SSP with look-alike domains?


To find large unproductive ratholes?  Neither DKIM or SSP claim
to have any direct effect on look-alike domain names, and
there's nothing in our


DKIM_BASE allows a recipient to distinguish mail from the bank from
look-alike mail that pretends to be from the bank.  That information
comes in the form of the signing domain.

SSP has an advantage when we assume that criminals are stupid enough
to keep sending forged mail. It has no advantage with look-alike
attacks. Guess what criminals will do.


hmmmmmmmmm,  unless I didn't follow you right, I fail to see the distinction
or your point.

Scenario #1 - No Phishing in 2822.From,  Phishing in signing domain. NO SSP
defined.

  From: accounts(_at_)paypal(_dot_)com
  To: Bob(_at_)sillyuser(_dot_)com
  Subject: Your Account Info
  DKIM-Signature: d=paypa1.com; s=sept06;  <-- valid 3PS

Here, the 3PS is valid using a look-alike domain (character one is used
instead of el). The x822.From is really paypal.com and no SSP is defined.
The result in a NO SSP enviroment is a VALID message with the awful
possibility some stupid Presentatation software will say:

   * Good Signature from accounts(_at_)paypal(_dot_)com signed by
     paypa1.com

Scenario #2 - Phishing in 2822.From, Phishing in signing domain.

  From: accounts(_at_)paypa1(_dot_)com
  To: Bob(_at_)sillyuser(_dot_)com
  Subject: Your Account Info
  DKIM-Signature: d=paypa1.com; s=sept06;  <-- valid 3PS

Here, the 3PS is valid using a look-alike domain (character one is used
instead of el).  The x822.From is also phished. The bad guy can have NO SSP
or a SSP with an designated allow list for paypa1.com

So I don't see the how it matters.

But I will say that if PAYPAL.COM (the real domain) used SSP in scenario #1,
then at the very least, the real domain is protected against a phished
signing domain when using SSP.  So to me, SSP still has the advantage over a
DKIM-BASE only environment.

SSP can protect against a PHISHED DKIM-BASE SIGNATURE.  A  slight
distinction over a phished 2822.From domain.  In short, the bad guy would
have to phish both domains  - the authors and the signing domain.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com








_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] SSP = FAILURE DETECTION, Thomas A. Fine
Next by Date:  RE: [ietf-dkim] SSP and mailing lists, Hallam-Baker, Phillip
Previous by Thread:  Re: [ietf-dkim] SSP = FAILURE DETECTION, Hector Santos
Next by Thread:  Re: [ietf-dkim] SSP = FAILURE DETECTION, Wietse Venema
Indexes:  [Date] [Thread] [Top] [All Lists]