Full Disclosure mailing list archives
Re: Email Security
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 30 Dec 2005 18:28:32 +1300
Gary E. Miller wrote:
Yo All! Sorry to actually talk about security here, but this has been bugging me for a while. Check out the headers in the email I just got from this list below.
If you think DomainKeys has anything to do with "security" you either have no clue what DomainKeys is and does or what security is...
Pay particular attentiom to this header that shows gmail signed the original message: DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:conte nt-type:references; b=CQy5RMmQmeDJoDvXBSoE3v/YxxeBPc4IA6LVT/GgWBA2oLOCW3GXWm+u/I4MT2v8LxpcJj3ntc 6F4bOTORFK7BTPZKPL/QzFEydGmzcpN/4MO+myrzc8GgDTCliPpNH0TvhdPunxVMHqSMSHaMkdJq pXnHYohxyCQY/bmx5Mc/I= Now notice this one that shows the signature failed after going through full-disclosure: Authentication-Results: catbert.rellim.com from=zoidenator () gmail com; domainkeys=fail (testing) Is there any way to get the list fixed so that DomainKeys signing is not being corrupted? I know this is non-trivial but if we can't figure it out then no mere mail admin has a chance.... It seems to me that gmail included the sbject in the resultant hash and the [full-disclosure] tag added to the subject changes the hash.
Yep -- you'd expect that to break DomainKeys...
Not sure what the proper workaround is, ...
The "proper workaround" is to ignore DomainKeys. Even better, if you're in a position to setup further things that will break DomainKeys, the "proper workaround" is to setup those things too.
... but I think the mailing list is supposed to rehash the whole thing. DomainKeys is not an RFC yet, but it will be soon. We gotta do something about the flood of spam. My spamfilter caught 11k+ spam just last weekend on just my persoanl account....
If you think DomainKeys has anything to do with spam then you clearly have no grip on what spam is, why we have it and the totally trivial "fix" the major spammers will make to totally subvert DomainKeys (and SPF and Sender ID and all other weak "authentication" methods suggested by morons who want to stop spam but have equally little grip as you on what spam is and why we have it). The list maintainer should be commended for running a service that shows one of the many weaknesses and stupidities of DomainKeys because doing so will hopefully make enough of the marginally sensible Email admins out there wary of supporting it, as widespread adoption of DomainKeys will just be a waste of time and mony _IF_ you are spending that time and money on it "because it will (help) stop spam". Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Email Security Gary E. Miller (Dec 29)
- Re: Email Security Nick FitzGerald (Dec 29)
- Re: Email Security Gary E. Miller (Dec 29)
- Re: Email Security Nick FitzGerald (Dec 29)