ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] layer violations, was detecting header mutations after signing

2010-10-20 12:51:49
On 10/20/10 7:27 AM, Alessandro Vesely wrote:
On 20/Oct/10 13:23, Charles Lindsey wrote:
The scam I have described involves the use, by the phisher, of a
DKIM-signed (by himself) email with two From: headers, which is intended
to fool verifiers into not spotting that the first signature should have
triggered an ADSP lookup which would have revealed that the first From:
was 'discardable'.

Naturally, the phisher signs with a throaway domain that has not yet
acquired any reputation, good or bad.

Since the scam involves the use of DKIM, and since the only fix I am aware
of requires a change to the DKIM standard, then it is highly relevant to
the current discussion.
IMHO, this issue has to be addressed refining the signing spec.  For
example, the initial paragraph of section 5.4 could be modified so as
to read:

    The From header field MUST be signed; that is, it MUST be included
    at least once in the "h=" tag of the resulting DKIM-Signature
    header field, and SHOULD be included twice (see Section 8.14).  In
    addition, the signer MUST ensure that at most one instance of the
    From field actually exists in the header.

The current PS silently assumes that there is a single From, and I
guess most interoperability and testing has been done in such
conditions.  Hence an amendment like the text above can be understood
as a clarification --rather than a change-- of the protocol.

Verifiers would then discard any From field after the first one,
whether signed or not.  Of course, a combo-verifier is always free to
return some error due to bad message syntax, even if all signatures
verify (although I'd consider it cleaner to return non-DKIM errors for
non-DKIM failures.)
Alessandro,

While this represents a defensive posture that might be used prior to 
DKIM reliably returning PERMFAIL when multiple From header fields are 
contained within the message,  it only thwarts half of the threat 
created by multiple From header fields.   As both Charles and I have 
illustrated:

 From Accounts(_at_)Big-Bank(_dot_)com
 From Someone(_at_)Big-IPS(_dot_)com
Subject: Audit notification
<body of text saying anything>

This message could be sent directly, or distributed by replaying it to 
millions of recipients.

Nothing Big-Bank.com might do with their signing mitigates this variant 
of the double From header field attack.  The ONLY sure method is to 
ensure DKIM always returns PERMFAIL when multiple From header fields are 
detected, whether both or one of them are signed.

-Doug

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>