×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How a Google Headhunter's E-Mail Revealed Massive Misuse of DKIM

Unknown Lamer posted about a year and a half ago | from the insecurity-through-blatant-idiocy dept.

Encryption 115

concealment writes with a tale of how an email sent to a mathematician led to him discovering that dozens of high profile companies were using easily crackable keys to authenticate mail sent from their domains. From the article: "The problem lay with the DKIM key (DomainKeys Identified Mail) Google used for its google.com e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender's DNS records and verify the validity of the signature. Harris wasn't interested in the job at Google, but he decided to crack the key and send an e-mail to Google founders Brin and Page, as each other, just to show them that he was onto their game."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

115 comments

This just in... (-1)

Anonymous Coward | about a year and a half ago | (#41754319)

E-mail is an archaic protocol and easily broken.
Film at 11.

Re:This just in... (2)

1s44c (552956) | about a year and a half ago | (#41754451)

Email wasn't broken. DKIM was. Or rather DKIM wasn't really broken, just being misused by Google.

Re:This just in... (3, Insightful)

NatasRevol (731260) | about a year and a half ago | (#41754471)

If it's easy to misuse, doesn't that make it broken?

Re:This just in... (2)

clarkn0va (807617) | about a year and a half ago | (#41754601)

If I fly an airplane into a building, does that mean the airplane's design is broken?

Re:This just in... (5, Insightful)

CaptainJeff (731782) | about a year and a half ago | (#41754675)

If the airplane's design allows you AS A REGULAR PASSENGER to do so, then yes.

Re:This just in... (1)

Bigby (659157) | about a year and a half ago | (#41754823)

So if the pilots all die for whatever reason while flying the plane, then it will crash as designed? Because regular passengers can try to fly it?

Re:This just in... (1)

Desler (1608317) | about a year and a half ago | (#41754943)

And how does an airplane distinguish between pilots and "regular passengers" so that only the former can fly them?

Re:This just in... (2)

Maximum Prophet (716608) | about a year and a half ago | (#41755343)

And how does an airplane distinguish between pilots and "regular passengers" so that only the former can fly them?

The pilots are up front, and the regular passengers sit behind. There's a wall between the two sets of people.

Re:This just in... (2)

VortexCortex (1117377) | about a year and a half ago | (#41758697)

And how does an airplane distinguish between pilots and "regular passengers" so that only the former can fly them?

The pilots are up front, and the regular passengers sit behind. There's a wall between the two sets of people.

OMFG!!!1! HUNDREDS of Pilots!? Only TWO passengers?! What the --Oh, never mind, "behind" is that way... For a second there I had an signed integer overflow in the velocity vector and thought we were just flying backwards, which means that behind and forwa-- Oh, never mind. Sorry about that, I'll try to be a good auto-pilot from here on out.

Boy, the sky sure is blue today... And shiny. I think I can see my reflectioOOOOOOO!!!!!

Try to fly a passenger jet. (0)

Anonymous Coward | about a year and a half ago | (#41755383)

See if your intrusion is noticed.

Re:This just in... (4, Informative)

Obfuscant (592200) | about a year and a half ago | (#41754663)

If it's easy to misuse, doesn't that make it broken?

No.

If I convince ignorant people that PGP signatures prove that they've actually won $47,325,443 in the Nigerian lottery, and all they need to do is send their account details so I can deposit their winnings, is PGP broken?

This wasn't even a true misuse of DKIM. It was use of a 512 bit key.

Something that many people seem to forget is that the strength of the security should be matched against the risk and costs of being broken. If I'm sending you a message that says "meet me at the corner of 5th and Smith St in five minutes", and it takes someone who intercepts the message an hour to break it, then the encryption has done its job just fine. By the time they break it, we will no longer be at 5h and Smith St, and they will have had no time to set up surveillance.

Given the intended use of DKIM, 512 bits is plenty.

Re:This just in... (1)

Anonymous Coward | about a year and a half ago | (#41755333)

The DKIM key isn't changing. Once you have broken the DKIM key you can spoof as many emails from that source as you want until they change their key. This is not like SSL. It doesn't encrypt the message in any way, it is a way to verify the source of the message.

Re:This just in... (0)

Anonymous Coward | about a year and a half ago | (#41756873)

Exactly. It's about authentication, not encryption.

Re:This just in... (4, Informative)

SSpade (549608) | about a year and a half ago | (#41756935)

The DKIM spec itself (RFC6376) says: "Signers MUST use RSA keys of at least 1024 bits for long-lived keys."

It's pretty unequivocal. Google just misconfigured their mailserver.

Re:This just in... (1)

daem0n1x (748565) | about a year and a half ago | (#41759369)

This is public key cryptography we're talking about. 512 bit is not plenty, because it allows you to break the key and then pose as the legitimate private key owner.

It would only be OK if this was a one-time key, and that's not the case.

Re:This just in... (0)

Anonymous Coward | about a year and a half ago | (#41755345)

All my knives are broken.

Re:This just in... (1)

LordLimecat (1103839) | about a year and a half ago | (#41755593)

I dont understand. Obviously there are different crypto algos out there... but why is a 512-bit DKIM key insecure, when AES-192 is considered very secure (actually more secure than 256 due to some flaws AFAIK) with a 192 bit key?

I mean, AES is like a decade old. DKIM is AFAIK much more recent than that. Why do they need larger keys for the same security?

Re:This just in... (2, Interesting)

Anonymous Coward | about a year and a half ago | (#41755823)

AES is synchrounous, same (secret) key used for encrypting and decrypting. Those are generally much harder to break than public key cryptos (with the same key-size), but also not usable for the same things.

Re:This just in... (0)

Anonymous Coward | about a year and a half ago | (#41757783)

(Parent means "symmetric", not "synchronous".)

You can't always compare key sizes between different encryption schemes. For AES with 128-bit keys there are 2**128 possible keys. An RSA key, on the other hand, is the product of two prime numbers. Because prime numbers are rather sparse, there are far fewer than 2**128 possible keys for 128-bit RSA, so we need much larger key sizes than AES for a similar level of security.

Re:This just in... (4, Informative)

ngc3242 (1039950) | about a year and a half ago | (#41756905)

To add more detail to the AC's response.

AES is based on a subsitution-permutation network.
DKIM is based on the RSA signature algorithm which relies on the difficulty of factoring large integers.
Elliptic curve public key cryptography is based on the difficulty of solving a discrete logarithm problem.

The difference in the size of keys between one type of algorithm or another is an expression of the difficulty in solving the underlying problem. Factoring a large integer of X bits (RSA) is relatively easy compared to working through the substitutions and permuations of X bits of AES.

The link below provides a guideline for comparing the key sizes of AES, EC, RSA/DH.
http://www.nsa.gov/business/programs/elliptic_curve.shtml [nsa.gov]

Re:This just in... (2)

Rich0 (548339) | about a year and a half ago | (#41760439)

Others gave good answers, but I'd just take it a step further - you can't really directly compare key lengths for different algorithms.

How long does it take you to solve 100 math problems by hand? Well, when I was in elementary school I was expected to do it in 5 minutes, but those were single-digit add/subtract/multiple/divide problems.

If I asked you to calculate the log of 10 10-digit numbers by hand it would take you a LOT longer than 5 minutes, though a computer could do this quickly.

If I asked you to factor a single number 100 digits long it would take an awfully long time even for a computer, though it would be in the realm of possibility.

Different algorithms use different math, so keys need to be different lengths to be secure. These algorithms are chosen for many reasons, and a shorter key length is only one of them. In many applications it might make more sense to just make all the keys 10x longer if it means that you can do the math on a cheaper and lower power chip. In this particular case, having to use a really long key is worth it because the design of this particular type of crypto system allows n people to communicate with each other with a total of only 2n keys, and not 2^n.

Re:This just in... (1)

godel_56 (1287256) | about a year and a half ago | (#41756775)

Email wasn't broken. DKIM was. Or rather DKIM wasn't really broken, just being misused by Google.

Misused implies some sort of dishonest intent, whereas they were actually just negligent in using a really weak key that the researcher could break on his laptop.

Not only Google but a bunch of other important web sites as well, such as Yahoo, eBay, major banks etc.

Re:This just in... (2)

mlts (1038732) | about a year and a half ago | (#41754627)

The core E-mail protocol itself is supposed to be a brain-dead simple protocol that almost any machine can understand, thus the "S" in SMTP.

It is the additions which are used by the MTAs to allow who can and cannot connect and relay, as well as MUAs to figure out what to do with incoming messages.

Realistically, the ideal for verifying authentication would be an OpenPGP plugin and a far-reaching WoT that each user maintains. However, because certs and having domains sign outgoing mail is "good enough", that has become the standard these days.

I'm surprised no lawyers (0)

Anonymous Coward | about a year and a half ago | (#41754323)

I'm surprise Mr. Harris wasn't accosted by lawyers or law enforcement. Huzzah for common sense.

Re:I'm surprised no lawyers (1)

Jintsui (2759005) | about a year and a half ago | (#41754469)

Its not illegal to crack a key. Worst case scenario he could be charged as a spammer, but I doubt anyone would bother as it was only two people he sent emails to. Not to mention, he didn't try to gain anything financially from the ordeal.

Re:I'm surprised no lawyers (1)

ZeroSumHappiness (1710320) | about a year and a half ago | (#41754747)

Nope. This could be prosecuted under the Computer Fraud and Abuse Act.

"Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of value."

By suggesting that Google work with him in his email the impersonation could easily be construed as "intent to defraud" with a job offer being the "anything of value" obtained.

C'mon.. (0)

Anonymous Coward | about a year and a half ago | (#41754333)

How could he seriously think it was a headhunter challenge?

He is clearly lying or been living too much outside real world..

Re:C'mon.. (5, Funny)

chill (34294) | about a year and a half ago | (#41754437)

He is clearly lying or been living too much outside real world..

He's a professional mathematician. That's a given.

Re:C'mon.. (1)

Synerg1y (2169962) | about a year and a half ago | (#41755007)

Wasn't there some guy who got arrested for exposing a companies security hole who was fighting extradition or something?

Re:C'mon.. (1)

LordLimecat (1103839) | about a year and a half ago | (#41755629)

Youre mixing several cases I think. There have been cases where people have been sued for exposing holes, but I dont think those cases all turned out super well for the prosecution. Theres also the UK extradition case for the guy who hacked the pentagon.

Not aware of any extradition cases for someone exposing flaws.

Re:C'mon.. (1)

Anne Thwacks (531696) | about a year and a half ago | (#41756221)

The Pentagon computers in question, somewhat foolishly, allegedly used "password" as their password (or null). This does not constitute "hacking" in most people's estimation.I would guess that the majority would consider cracking encryption to be hacking. Whther they would expect it to be illegal, I don't know.

My personal view is that neither should be illegal. However, imptersonating someone else for some kind of gain should be. I do not count a big grin as a gain in this context. You lawyer may disagree.

Re:C'mon.. (0)

Anonymous Coward | about a year and a half ago | (#41755041)

How could he seriously think it was a headhunter challenge?

He is clearly lying or been living too much outside real world..

Clearly he does not want to be thrown in jail for mail fraud, sending those letters with forged signatures. It's a federal crime to pretend to be someone else.

Re:C'mon.. (1)

cayenne8 (626475) | about a year and a half ago | (#41757327)

It's a federal crime to pretend to be someone else.

Seriously? Even if you aren't doing anything illegal, trying to dupe someone out of money..etc....?

Citations of law please?

Vote for me (4, Funny)

Anonymous Coward | about a year and a half ago | (#41754365)

This is Obama, please vote for me. This email is from me, you can verify it using DKIM public keys.

Regards
Romney

Re:Vote for me (-1)

Anonymous Coward | about a year and a half ago | (#41754411)

This is Obama, please vote for me. This email is from me, you can verify it using DKIM public keys.

Regards
Romney

Sad thing is, email is more secure than our voting system.

Re:Vote for me (1)

Anonymous Coward | about a year and a half ago | (#41754591)

This is like taking a porcelain vase and a porcelain doll, smashing both on the floor, and then trying to argue which is more broken.

Re:Vote for me (1)

DarwinSurvivor (1752106) | about a year and a half ago | (#41755751)

My sister used to collect porcelain dolls (I think she still has them). Those things have enought layers of cloth on them, that the pieces (while broken) would probably be kept more or less in place. The vase on the other hand would explode to cover an entire room.

Re:Vote for me (0)

Anonymous Coward | about a year and a half ago | (#41756979)

I don't think that invalidates the analogy. The point was that there's not much value arguing which broken item is "more broken". Especially when neither item is a substitute for the other and both are essentially unusable.

Strong DKIM keys and compatability issues (1)

Anonymous Coward | about a year and a half ago | (#41754421)

It's possible that some of the short DKIM keys were due to concerns over compatibility with other systems. When you have a large heterogeneous environment like email, you sometimes get caught catering to the lowest common denominator.

DKIM keys can exceed the TXT DNS record limit or the UDP byte limit. Some software may not handle joining split TXT DNS records. Others may handle DNS over UDP but not handle TCP for long records.

The Reality (4, Insightful)

MightyMartian (840721) | about a year and a half ago | (#41754461)

So the reality is that, on top of being useless as an anti-spam mechanism, it now turns out to be even worse, and in fact vulnerable to malicious attacks. In other words, it's useless and uselesser.

I was heavily involved in a lot of the discussions surrounding SPF, DKIM and related "solutions" back in the early 2000s, and about the most that we could say about these "solutions" was that you could add a positive number to the score of an email in a weighting system if things checked out, but other than that, there was little to recommend them.

Re:The Reality (1)

1s44c (552956) | about a year and a half ago | (#41754497)

Serious question - What does DKIM do that SPF doesn't?

Re:The Reality (0)

Anonymous Coward | about a year and a half ago | (#41754621)

Serious question - What does DKIM do that SPF doesn't?

Allow ridiculously short keys?

Re:The Reality (3, Insightful)

Medievalist (16032) | about a year and a half ago | (#41754947)

Serious question - What does DKIM do that SPF doesn't?

DKIM is intended to allow mail sent through any server to be shown to be originally from a specific domain, thus preventing spoofing which is the basis of most spamming. SPF just allows server(s) to be identified as valid mailers for a domain, it doesn't work if you forward mail through other undesignated systems (which is still pretty significant, and covers most legitimate use cases).

If you're not checking SPFv1 on incoming mail, you're not a competent email admin. If you're not publishing SPFv1 for your domain you're not a competent DNS admin. This is just basic stuff nowadays; claiming otherwise is like claiming surgeons don't need to know about anatomy.

DKIM requires significant effort by comparison to SPF, and you can still be forgiven (for a little while) for not checking it or generating it.

Re:The Reality (2)

XanC (644172) | about a year and a half ago | (#41755017)

Except SPF is broken by design and shouldn't be used nor its use encouraged, ever.

Re:The Reality (1)

LordLimecat (1103839) | about a year and a half ago | (#41755667)

Care to explain why?

Re:The Reality (1)

XanC (644172) | about a year and a half ago | (#41756047)

Re:The Reality (2)

MillerHighLife21 (876240) | about a year and a half ago | (#41759905)

And that's why they created DMARC. DMARC allows you to specify exactly how mail servers should treat your SPF and DKIM policies. Additionally, you'll get reports from the providers processing it what the origin IPs claiming to deliver email from you are and whether or not they were allowed.

There's also one little note that the entire linked "why not spf" article is based on too...the DMARC reports also include whether or not the mail was forwarded so that mail servers know how to handle it.

The three techniques combined have been extremely effective in phishing spoofing against our domain, which was very heavy until we implemented all three. We've also been tracking deliverability with no issues.

http://www.dmarc.org/ [dmarc.org]

Re:The Reality (2)

Medievalist (16032) | about a year and a half ago | (#41756693)

If you are doing mail forwarding or certain kinds of mailing list paradigms, you can have difficulties with SPF - you'll have to go straight to DKIM or change the way you use mail.

However, the absolute statement the prior poster made is the cry of a butthurt spammer - SPF keeps him from spoofing your address, so it's hurting his v14gr/-\ sales. Spammers hate SPF more than taxes... it's so trivially easy to implement that it's a real threat to their business model. DKIM's even worse for them, but it's also harder to do. You can set up SPF in 15 minutes if you've done it before.

Re:The Reality (1)

Medievalist (16032) | about a year and a half ago | (#41755359)

Oh, and also DKIM serves as a message checksum, so you can be reasonably sure an email wasn't tampered with after it left the sender.

Re:The Reality (2)

timothyf (615594) | about a year and a half ago | (#41756611)

In a nutshell:
In DKIM
-Email provider sets up DNS records with a public DKIM key.
-Email provider's MTA signs valid outgoing email with the private key.
-Recipient MTAs can verify the signature of incoming mail from the email provider with the public key and use this when classifying the message.
-The MTA has to receive the message contents to verify the signature.

In SPF
-Email provider sets up DNS TXT records that specify which hosts are allowed to send mail for a domain.
-Email recipient verifies that the mail is received from one of those hosts and the pass/fail decision is used when classifying the message.
-The MTA can reject the message if the check fails during the SMTP HELO phase without receiving the entire message, if desired.

https://en.wikipedia.org/wiki/DKIM [wikipedia.org]
https://en.wikipedia.org/wiki/Sender_Policy_Framework [wikipedia.org]

Re:The Reality (2)

Sentrion (964745) | about a year and a half ago | (#41754509)

I wonder how many convictions and court judgments relied solely on DKIM evidence that an email came from a defendant, all other evidence being circumstantial. I wonder what potential exist for such decisions to be overturned.

Re:The Reality (1)

TheCarp (96830) | about a year and a half ago | (#41754845)

As for convictions, very few. Based first on my small amount of exposure to trial related forsensics, lawyers are nowhere near so familiar with technology that I am willing to believe that this type of technological point comes up that often.

Beyond that though, very few cases ever actually go to trial, mostly because the past few decades have seen the "justice" system ramp up its program of making sure that the list of charges that you are threatened with if you don't take a plea deal is so large, that even innocent people have quite a lot of incentive to just plead guilty rather than risk losing the lawsuit.

Of course, right now my own state is going over the debacle caused by an unscrupulous state chemist who is alleged to have tampered with drug samples and never have held the proper qualifications for her job, meaning now the courts are hearing thousands of motions to vacate guilty pleas of people who made their plea based on being confronted with evidence that she processed.

I am no lawyer, but, I would think that such an argument would could at least be made under circumstances where it can be argued that an email was an important factor.

Re:The Reality (1)

psmears (629712) | about a year and a half ago | (#41757789)

As for convictions, very few. Based first on my small amount of exposure to trial related forsensics, lawyers are nowhere near so familiar with technology that I am willing to believe that this type of technological point comes up that often.

Plus of course the fact that DKIM usually identifies the domain, rather than the user, so it would generally only be evidence that the email came from a specific ISP (or company), rather than a specific person, which is much less useful.

Re:The Reality (1)

Qzukk (229616) | about a year and a half ago | (#41754569)

was that you could add a positive number to the score of an email in a weighting system if things checked out

If things don't check out, I have spamassassin assign -4 (out of -5 to be spam). If things check out it gets +0.

Re:The Reality (1)

MightyMartian (840721) | about a year and a half ago | (#41754597)

Oh Christ! The last thing on Earth I would ever do is give a negative score to SpamAssassin's rating based on failed or missing SPF and DKIM records. Hell, even missing reverse records, which is popular with some anti-spam folks, lead to way too many false positives.

Re:The Reality (0)

Obfuscant (592200) | about a year and a half ago | (#41754761)

Hell, even missing reverse records, which is popular with some anti-spam folks, lead to way too many false positives.

There is a current email by radio system that is intended for use in catastrophic events as a way of communicating outside the disaster area for things like requests for aid and other important traffic. The radio to internet mail transport checks for MX records for every destination server, and silently throws the email away if there isn't one. The sender gets no notice of failure. The recipient doesn't get anything. Just no communications.

And none of the inbound email servers for the internet to radio side have an MX record.

Re:The Reality (1)

MightyMartian (840721) | about a year and a half ago | (#41754859)

I can understand using SPF and DKIM to that degree in specialized situations. But if you're running a general-use mail server, I think negative scoring based on faulty or missing SPF and DKIM records is asking for an unacceptable number of false positives. I know a lot of mail admins over the years have stood on principle over this sort of thing, and the ISP I was working for did for a while, but increased customer complaints finally lead us to the conclusion that the amount of spam SPF and DKIM scoring stopped was outweighed by the number of false positives we were seeing.

Re:The Reality (1)

Obfuscant (592200) | about a year and a half ago | (#41754793)

So the reality is that, on top of being useless as an anti-spam mechanism, it now turns out to be even worse, and in fact vulnerable to malicious attacks. In other words, it's useless and uselesser.

So if the reality is that it was already useless as an anti-spam mechanism, who cares if it is made "uselesser" as an anti-spam mechanism? Less that zero is still less than zero. If you already can't trust it to mean what it says, why is there such a tizzy that you still can't trust it to mean what it says?

Re:The Reality (1)

MightyMartian (840721) | about a year and a half ago | (#41754873)

The problem is that inexperienced mail admins seem to have a considerable amount of faith in SPF and DKIM, and a good decade or so has passed since these methods were first developed, so the debate around why they are fundamentally flawed is in the past.

The only reason I even have SPF and DKIM records on our mail servers is because some dumb-asses out there do negative weight based on an absence of those records.

Mathematician cracks cryptographic code (0)

Anonymous Coward | about a year and a half ago | (#41754435)

News flash.

There was no misuse (4, Insightful)

hawguy (1600213) | about a year and a half ago | (#41754457)

This was not a misuse of DKIM, or perhaps it was his own misuse in that he thinks DKIM validates the sender of an email. All it does is validate that the email originated from Google's mail servers, but it doesn't neccessarily mean that the address in the From: header wasn't spoofed before it was signed.

In any case, he found that Google (and others) are using an easily cracked 512 bit key, which they silently fixed with a 1024 bit key after he reported it to them by spoofing an email to appear as though it originated at Google.

There was no misuse, 512 bit keys are allowable under the DKIM spec, though they aren't recommended for long-lived keys.

Re:There was no misuse (1)

griego (1108909) | about a year and a half ago | (#41755043)

Yeah, one guy cracks a key and sends two emails with it. Where is the "massive misuse"?

Re:There was no misuse (0)

Anonymous Coward | about a year and a half ago | (#41755475)

DKIM my not validate the sender, but it is supposed to validate the mail server as you say. If you break a DKIM key you can send a mail from anywhere making it appear to be legitimately from a particular mail server even though it wasn't. If your mail servers allow unauthenticated email to be sent from them that is another problem that ought to be fixed. If you allow people to pretend to send email from your server than you are aiding spammers and spear fishers quite a bit.

Re:There was no misuse (1)

hawguy (1600213) | about a year and a half ago | (#41755671)

DKIM my not validate the sender, but it is supposed to validate the mail server as you say. If you break a DKIM key you can send a mail from anywhere making it appear to be legitimately from a particular mail server even though it wasn't. If your mail servers allow unauthenticated email to be sent from them that is another problem that ought to be fixed. If you allow people to pretend to send email from your server than you are aiding spammers and spear fishers quite a bit.

But it's a misuse of DKIM to assume that a DKIM signed message validates the sender since it does no such thing. It makes it more likely that the sender is who he said it is since it validates the sending server, but it really does no validation of the sender himself. It's possible, even likely, that the mail server validated the sender, but that's outside of the scope of DKIM. Even the DKIM signature includes the entire message envelope, there's no guarantee that the message content wasn't altered.

DKIM is a spam reduction solution, and shouldn't be relied about to provide anything more. If you want to validate that the sender actually sent the message that you received, you need to use something like PGP which gives you more assurance that the message that the sender created on his computer is the message that you received.

Re:There was no misuse (1)

darkmeridian (119044) | about a year and a half ago | (#41756137)

It was bad phrasing. Google didn't misuse DKIM as much as it negligently implemented DKIM. The big news was that HSBC and other high-security websites were using weak implementations of DKIM. The problem is that people may rely on DKIM authentication as a sign that it's not phishing. ("Hey, this email from HSBC was signed by DKIM so it's not fake. I guess I'll send a $10,000 check to these guys.")

I am also curious how many keys is used in the Google Apps Premier DKIM. I have a domain with Google Apps, and it might have had a weak key. I reissued a new DKIM key and removed the old one in the hopes that the new key would be strong. But Google should really provide this info during implementation.

Re:There was no misuse (2)

SSpade (549608) | about a year and a half ago | (#41756907)

It's more than "aren't recommended".

RFC6376: "Signers MUST use RSA keys of at least 1024 bits for long-lived keys."

Given Google were using a long-lived key, they were violating a MUST provision in the DKIM spec. (Pedantically, that means they weren't sending DKIM compliant mail at all).

Slight Correction (1)

Fnord666 (889225) | about a year and a half ago | (#41760111)

From hawguy:

which they silently fixed with a 1024 bit key after he reported it to them...

From TFA:

Harris made sure the return path for the e-mails went to his own e-mail account, so that Brin and Page could ask him how heâ(TM)d cracked their puzzle. But Harris never got a response from the Google founders. Instead, two days later, he noticed that Googleâ(TM)s cryptographic key had suddenly changed to 2,048 bits. And he got a lot of sudden hits to his web site from Google IP addresses.(emphasis mine)

Ain't this a classic ?? (1)

vikingpower (768921) | about a year and a half ago | (#41754475)

Individual's sharp-mindedness against corporate stupidity. Happens all the time. I'm proud to be an individual having studied mathematics, even if I landed in IT later on...

It seems from the photo (1)

Neil_Brown (1568845) | about a year and a half ago | (#41754501)

that Swordfish was a premonition — Hugh Jackman really does crack encryption...

Re:It seems from the photo (1)

Fnord666 (889225) | about a year and a half ago | (#41760061)

that Swordfish was a premonition - Hugh Jackman really does crack encryption...

He also apparently likes to channel DaVinci and write backwards from his POV

Sigh (5, Insightful)

EdwinFreed (1084059) | about a year and a half ago | (#41754535)

Shame on Google for using a weak key, but also shame on this article for being more than a little hyperbolic.

If you, you know, actually read the standard, or even the Wikipedia page, you'll see that DKIM is not intended to be used as a signature mechanism in the same way as S/MIME or PGP. Rather, it's a means to assert responsibility for sending the message, it's done at the domain rather than user level, and verification results are intended to be used for message filtering, not for asserting that so-and-so actually signed the message.

Sure, the underlying technology is based on hashes, signatures, signature verification, and so on but that's because there's no other way to do it. The fact that DKIM allows for the application of relaxed interpretation of both message header and body data kinda tells you it's not intended to be used to provide an absolute assurance that what you got is authentic in every way.

DKIM is also not intended to be the ultimate source of information for filtering. Rather, DKIM results are supposed to be combined with other metrics to form an overall assessment of message validity. And that's a very good thing, since I get all sorts of spammy stuff that makes it through Google, including getting a legitimate DKIN signature attached. Other filtering mechanisms are needed to block such crap.

All that said, it's very disappointing to see yet another case where Google has seen fit to play fast and loose with standards. This is happening much too often.

Re:Sigh (1)

Anonymous Coward | about a year and a half ago | (#41754649)

The problem is that signing implies a level of trust that spam filters at Google take into account. So, unless you are a spammer, it is indeed a giant problem to have weak keys.

Re:Sigh (1)

fm6 (162816) | about a year and a half ago | (#41754871)

Rather, DKIM results are supposed to be combined with other metrics to form an overall assessment of message validity.

Which is exactly how my Tuffmail account is configured to use it. Unfortunately, there are many borderline cases where using DKIM is just enough to make my filters decide to forward it. I'm seeing the protocol as pretty useless.

Re:Sigh (1)

Zontar_Thing_From_Ve (949321) | about a year and a half ago | (#41755209)

All that said, it's very disappointing to see yet another case where Microsoft has seen fit to play fast and loose with standards. This is happening much too often.

Fixed that for you. Well, at least it's true in general if maybe not so much in this specific case.

Re:Sigh (1)

EdwinFreed (1084059) | about a year and a half ago | (#41759123)

I fail to see the relevance. Yes, Microsoft has played fast and loose with various standards, including some critical ones in email. And the surrounding the handling of text/plain as text/each-long-line-is-a-paragraph plus the failure to support format=flowed is arguably the email standards violation with far and away the most impact.

But this doesn't mean Google doesn't also have a lot to answer for. Gmail IMAP compliance in particular is pretty bad, and SMTP handling of error conditions pushes things right to the limits if not past them.

"onto their game"? (1)

93 Escort Wagon (326346) | about a year and a half ago | (#41754611)

Is it this guy's supposition that Brin and Page were using weak, crackable keys deliberately?

Re:"onto their game"? (0)

Anonymous Coward | about a year and a half ago | (#41754853)

Yes. Well not those two per se, but he thought a recruiter might be using this as a test to filter qualified applicants.

Re:"onto their game"? (2)

malakai (136531) | about a year and a half ago | (#41754883)

It's a horrible article. It's really trying to make out like it was some cloak and dagger, crypto-cracking fu used by this 'mathmatician' against the founders of Google. He mentions ( many times, like The Lady Doth Protest Too Much, methinks... ) that he thought it was an elaborate test. I read his take on this to be a defensive argument, in case they choose to go after him for spoofing e-mails. Which is what he did.

Re:"onto their game"? (2)

squiggleslash (241428) | about a year and a half ago | (#41755081)

From the article, yes, it appears the mathematician thought, strangely, that he was being sent some kind of test, by Google, because the original recruitment email to him didn't appear to be particularly relevent to his skillset.

Yeah, exactly. Like a lot of very (genuinely) smart people, not very smart!

Backscatter (1)

phorm (591458) | about a year and a half ago | (#41754637)

I had until more recently been getting a bunch of "backscatter" hits to my gmail hosted account.
While the return message seemed legit, the email that supposedly went out from (an nonexistent account) at my domain was not.

I wonder if the spammers were already taking advantage of this vulnerability. I do notice that more recently I haven't got any of these.

Not Seeing Any Use For DKIM (1)

fm6 (162816) | about a year and a half ago | (#41754829)

Half the spam that makes it through my filters is DKIM-signed. Spammers use it to make the email look less bogus. Of course, that means that they have to use a real domain and hosting provider that they eventually lose — but domains are cheap, and changing hosts is no big deal.

Re:Not Seeing Any Use For DKIM (1)

John Hasler (414242) | about a year and a half ago | (#41754991)

> Half the spam that makes it through my filters is
> DKIM-signed.

Same here, and half of that is signed by Yahoo. I'm seriously considering telling Spamassassin to increase the spam score of DKIM-signed messages, not decrease it.

Re:Not Seeing Any Use For DKIM (1)

fm6 (162816) | about a year and a half ago | (#41755549)

I've configured Sieve to bounce all mail from Yahoo, except for a few relatives who use it.

Google Apps DKIM (1)

starslab (60014) | about a year and a half ago | (#41754911)

Ru-oh!

I'd better take a closer look at the automatically generated DKIM keys for the several Google Apps domains I oversee....

Vulnerability Note VU#268267 (4, Informative)

DERoss (1919496) | about a year and a half ago | (#41754949)

This problem has been reported by the US-CERT (part of the US Department of Homeland Security [Insecurity?]) at http://www.kb.cert.org/vuls/id/268267 [cert.org]. See that link for an authoritative report on the meaning of this problem and how to avoid it.

That's what I would think as well! (2)

SoTerrified (660807) | about a year and a half ago | (#41755087)

From the article, the line:
Harris thought there was no way Google would be so careless, so he concluded it must be a sly recruiting test to see if job applicants would spot the vulnerability.

That's exactly how I would think.

Re:That's what I would think as well! (0)

Anonymous Coward | about a year and a half ago | (#41757637)

I was setting up DKIM some months ago, and for comparison to an existing site, I looked at... a Google recruiter's email. I found their 2048-bit key and thought it seemed excessive for my setup and used 1024-bit for mine. Now I know how their choice came about!

Guys longer keys would run afoul with DoD (1)

140Mandak262Jamuna (970587) | about a year and a half ago | (#41755427)

I don't know if it is still true. I no longer attend all those export compliance meetings. But when I used to we used worry about the cryptographic key lengths. If we use any crypto algo that is stronger than a certain threshold we need to run them through some national security agency (lack of capitalization very intentional). It is very much possible they were using a weaker key when those regulations were in place. Either they completed the paper work to release a software produce stronger than 512 bits to foreign markets or the threshold has been raised and these guys have been following the golden rule,:

"if ( it ain't broken, ||

the original coder has since left the company ||

no one has touched that header for four years ||

the code is abandoned without any "owner" in the company ||

it is living in a branch of source code deemed "legacy"){

don't fix it;

}

Re:Guys longer keys would run afoul with DoD (0)

Anonymous Coward | about a year and a half ago | (#41757165)

False.

Previously, Department of State's Directorate of Defense Trade Controls (DDTC) had stuff to do with crypto. Now, Department of Commerce usually controls it. Unless it's crypto in an item controlled by ITAR.

http://www.bis.doc.gov/encryption/flowchart1.pdf
http://www.bis.doc.gov/encryption/decision_tree.pdf

Is the item publicly available encryption source code?
Yes. Self Classify as 5D002. See License Exception TSU (740.13(e)) for notification requirement
http://www.gpo.gov/fdsys/pkg/CFR-2012-title15-vol2/pdf/CFR-2012-title15-vol2-sec740-13.pdf

Basically, you're supposed to send an email. If you write the software. No need if you're just using it.

- Anon International Trafficker of Arms and Whatnot Coward

Was it a centithread on misc? (1)

Wee (17189) | about a year and a half ago | (#41755575)

Instead, two days later, he noticed that Googleâ(TM)s cryptographic key had suddenly changed to 2,048 bits. And he got a lot of sudden hits to his web site from Google IP addresses.

So, googlers: How'd misc react to this? I can see all sorts of spoofing fun going on...

-B

Test argument purely for defense. (1)

flimflammer (956759) | about a year and a half ago | (#41755989)

There's no way he seriously believed this was a sly test the recruiters were sending out to weed applicants. He's just saying that to cover his ass if Google actually peruses him legally for what he did.

But really though, all this system is for is for certifying that mail actually did come from a specific domain, not a specific sender. I'm not seeing the huge misuse here.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...