ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Pete's review of 4871bis

2011-06-30 09:20:16
from [Charles Lindsey] [Permanent Link] 
On Wed, 29 Jun 2011 19:49:27 +0100, Pete Resnick 
<presnick(_at_)qualcomm(_dot_)com>  
wrote:


On 6/29/11 11:20 AM, Charles Lindsey wrote:



A phisher obtains a throwaway domain and creates a public/private key  
pair
for
it. He then sends messages of the following form:

------------

To: some.sucker@anywhere.example
From: eBay<ebay(_at_)ebay(_dot_)co(_dot_)uk>
Date: Tue, 17 May 2011 13:21:06 +0100
Subject: Some plausible Ebay subject
<Lots of other normal headers>
From: a.phisher@mythrowayawdomain.example
DKIM-Signature: v=1; a=rsa-sha256; d=mythrowayawdomain.example;
        h=from:to:subject:date; ....... b=<valid signature>

Body of message of typical Phish style.

-------------

A compliant DKIM verifier will report that as a validly signed message.



The second From field is absolutely irrelevant in the example. The
phisher could simply leave out the From field with their address in it
and sign the ebay From field.


But not with Ebay's private key, and that would surely get spotted (with  
or without ADSP).


And that's not an attack. The signer signed the message and the
signature verifies. *DKIM* has done its job successfully and has not
been attacked. DKIM communicates from the signer to the verifier. The
signer *can't* attack itself.


Sure, but this is an attack directed against Ebay. If the signer succeeds  
in fooling both the verifier/policy module/whatever else the ISP provides,  
and thereby in fooling the ultimate recipient, then something has gone  
badly wrong.

The ultimate recipient is not interested in arcane details of who has  
attacked whom, or who was responsible, or which RFC has been broken; he  
just discovers that he has been fooled (and his pocket emptied), and all  
he can see is that the people who were supposed to protect him are busy  
passing the buck amongst themselves.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Pete's review of 4871bis, SM
Next by Date:  Re: [ietf-dkim] Pete's review of 4871bis, Charles Lindsey
Previous by Thread:  Re: [ietf-dkim] Pete's review of 4871bis, Murray S. Kucherawy
Next by Thread:  Re: [ietf-dkim] Pete's review of 4871bis, Barry Leiba
Indexes:  [Date] [Thread] [Top] [All Lists]