On Thu, 07 Jul 2011 15:28:09 +0100, Barry Leiba
<barryleiba(_at_)computer(_dot_)org>
wrote:
The signer most certainly CAN attack, but what he is attacking is not
DKIM; rather it is the recipient, or Ebay, or lenient MTAs. DKIM is, in
fact, his weapon of attack.
Right, but the point is that, with DKIM (as Murray says, this attack
can be mounted with or without), the signing domain is relying on its
own reputation, not that of the "fake" From....
I think Murray is wrong. There is no benefit to the Bad Guy in using two
From: fields if he is not going to sign one of them. By signing, he hopes
to gain sufficient extra credibility to get through.
... That mitigates things in
two ways:
1. There's really no difference between using "d=badguy.com" to sign
"From: x(_at_)badguy(_dot_)com" and then adding "From: x(_at_)ebay(_dot_)com"
later, and
using "d=badguy.com" to sign "From: x(_at_)ebay(_dot_)com" in the first place.
No advice in this regard addresses the second case anyway.
Oh yes there is! Because identity assessors will undoubtedly give more
credence to messages where the signature domain is the same as the author
(i.e.From:) domain, even if they do not go to the extent of doing full
ADSP, and that is just what the BadGuy hopes will happen. And if
implementors are not warned of this attack, they will tend to take a
report of "signed by the domain that DKIM regards as the appropriate
From:" at its face value and act accordingly.
2. Signers that do this will quickly get bad reputations, and will
never have had strongly good ones in the first place. It's never
eBay's reputation that's relevant here anyway.
Signers who are BadGuys don't give a damn about the reputation of their
domains. Having displatched a million or so phishes with "d=badguy.com",
they will abandon that domain and use "d=son-of-badguy.com" for the next
batch. All that can be said of the reputation of badguy.com is that it is
a new domain, never seen before (but new domains are appearing all the
time, and must be assumed more-or-less innocent until proven otherwise).
Given all that, having us describe the problem is sufficient, and
that's exactly what the WG consensus has us do.
Yes, but you haven't described the problem. In draft-12, the old 8.14
described this attack tolerably well (and 8.15 described my 2nd one). On
that basis I was persuaded to let that draft go (just). But what we have
now is worse, not better, and I regret that if that remains the case, then
it can only lead to another appeal to the AD.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html