Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Email Security

from [Nick FitzGerald] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Email Security
Date: Fri, 30 Dec 2005 18:28:32 +1300 
Gary E. Miller wrote:


Yo All!

Sorry to actually talk about security here, but this has been bugging
me for a while.  Check out the headers in the email I just got from
this list below.


If you think DomainKeys has anything to do with "security" you either 
have no clue what DomainKeys is and does or what security is...


Pay particular attentiom to this header that shows gmail signed the
original message:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
    
h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:conte
    nt-type:references;
    
b=CQy5RMmQmeDJoDvXBSoE3v/YxxeBPc4IA6LVT/GgWBA2oLOCW3GXWm+u/I4MT2v8LxpcJj3ntc
    
6F4bOTORFK7BTPZKPL/QzFEydGmzcpN/4MO+myrzc8GgDTCliPpNH0TvhdPunxVMHqSMSHaMkdJq
    pXnHYohxyCQY/bmx5Mc/I=


Now notice this one that shows the signature failed after going through
full-disclosure:

Authentication-Results: catbert.rellim.com from=zoidenator@gmail.com;
    domainkeys=fail (testing)

Is there any way to get the list fixed so that DomainKeys signing is
not being corrupted?  I know this is non-trivial but if we can't
figure it out then no mere mail admin has a chance....

It seems to me that gmail included the sbject in the resultant hash
and the [full-disclosure] tag added to the subject changes the hash.


Yep -- you'd expect that to break DomainKeys...


Not sure what the proper workaround is, ...


The "proper workaround" is to ignore DomainKeys.  Even better, if 
you're in a position to setup further things that will break 
DomainKeys, the "proper workaround" is to setup those things too.


... but I think the mailing list
is supposed to rehash the whole thing.

DomainKeys is not an RFC yet, but it will be soon.  We gotta do
something about the flood of spam.  My spamfilter caught 11k+ spam just
last weekend on just my persoanl account....


If you think DomainKeys has anything to do with spam then you clearly 
have no grip on what spam is, why we have it and the totally trivial 
"fix" the major spammers will make to totally subvert DomainKeys (and 
SPF and Sender ID and all other weak "authentication" methods suggested 
by morons who want to stop spam but have equally little grip as you on 
what spam is and why we have it).

The list maintainer should be commended for running a service that 
shows one  of the many weaknesses and stupidities of DomainKeys because 
doing so will hopefully make enough of the marginally sensible Email 
admins out there wary of supporting it, as widespread adoption of 
DomainKeys will just be a waste of time and mony _IF_ you are spending 
that time and money on it "because it will (help) stop spam".


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure][WAY OFF TOPIC] complaints about the governemnt spying!, Leif Ericksen
Next by Date:  Re: [Full-disclosure][WAY OFF TOPIC] complaints about the governemntspying!, zap zoid
Previous by Thread:  [Full-disclosure] Email Security, Gary E. Miller
Next by Thread:  Re: [Full-disclosure] Email Security, Gary E. Miller
Indexes:  [Date] [Thread] [Top] [All Lists]