Re: Email Security

[Nick FitzGerald <nick () virus-l demon co uk>]

Gary E. Miller wrote:

> Yo All!
>
> Sorry to actually talk about security here, but this has been bugging
> me for a while.  Check out the headers in the email I just got from
> this list below.

If you think DomainKeys has anything to do with "security" you either 
have no clue what DomainKeys is and does or what security is...

> Pay particular attentiom to this header that shows gmail signed the
> original message:
>
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
>     h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:conte
>     nt-type:references;
>     b=CQy5RMmQmeDJoDvXBSoE3v/YxxeBPc4IA6LVT/GgWBA2oLOCW3GXWm+u/I4MT2v8LxpcJj3ntc
>     6F4bOTORFK7BTPZKPL/QzFEydGmzcpN/4MO+myrzc8GgDTCliPpNH0TvhdPunxVMHqSMSHaMkdJq
>     pXnHYohxyCQY/bmx5Mc/I=
>
>
> Now notice this one that shows the signature failed after going through
> full-disclosure:
>
> Authentication-Results: catbert.rellim.com from=zoidenator () gmail com;
>     domainkeys=fail (testing)
>
> Is there any way to get the list fixed so that DomainKeys signing is
> not being corrupted?  I know this is non-trivial but if we can't
> figure it out then no mere mail admin has a chance....
>
> It seems to me that gmail included the sbject in the resultant hash
> and the [full-disclosure] tag added to the subject changes the hash.

Yep -- you'd expect that to break DomainKeys...

> Not sure what the proper workaround is, ...

The "proper workaround" is to ignore DomainKeys.  Even better, if 
you're in a position to setup further things that will break 
DomainKeys, the "proper workaround" is to setup those things too.

> ... but I think the mailing list
> is supposed to rehash the whole thing.
>
> DomainKeys is not an RFC yet, but it will be soon.  We gotta do
> something about the flood of spam.  My spamfilter caught 11k+ spam just
> last weekend on just my persoanl account....

If you think DomainKeys has anything to do with spam then you clearly 
have no grip on what spam is, why we have it and the totally trivial 
"fix" the major spammers will make to totally subvert DomainKeys (and 
SPF and Sender ID and all other weak "authentication" methods suggested 
by morons who want to stop spam but have equally little grip as you on 
what spam is and why we have it).

The list maintainer should be commended for running a service that 
shows one  of the many weaknesses and stupidities of DomainKeys because 
doing so will hopefully make enough of the marginally sensible Email 
admins out there wary of supporting it, as widespread adoption of 
DomainKeys will just be a waste of time and mony _IF_ you are spending 
that time and money on it "because it will (help) stop spam".


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/