On 2005-07-20 07:25:28 -0700, Michael Thomas wrote:
One can also delete everything appended as is recommended in the
draft.
That would take care of the "adding new content" part, which is
indeed made possible by l=. (And not dissimilar to a known problem
with IIM.)
This really has nothing to do with nowsp.
The first step of the manipulation was to make changes to the MIME
structure that were canonicalized away by nowsp -- hence rendering
parts of the signed message invisible without breaking the
signature.
Instead of messing with boundaries, an attacker could also fold an
entire MIME body part's content, or maybe just part of that content,
into a couple of MIME headers, leaving back an empty body, or making
part of the original content invisible.
Or one could insert an empty line in front of a content-type header,
turning an HTML body part into a text/plain one. (Do that on a
large scale with a legitimate, DKIM-signed HTML message from some
large financial institution, and see how their helpdesk reacts to
it.)
I wouldn't be surprised if there were more interactions between MIME
and nowsp.
Basically, there is a lot of structure in MIME messages that
actually depends on where whitespace and line breaks are in the
message body. nowsp canonicalizes that structure away, and opens the
door for manipulations.
--
Thomas Roessler, W3C <tlr(_at_)w3(_dot_)org>