| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43B57C50.15019.2F1C19DF@nick.virus-l.demon.co.uk> Date: Fri Dec 30 05:28:46 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Email Security Gary E. Miller wrote: > Yo All! > > Sorry to actually talk about security here, but this has been bugging > me for a while. Check out the headers in the email I just got from > this list below. If you think DomainKeys has anything to do with "security" you either have no clue what DomainKeys is and does or what security is... > Pay particular attentiom to this header that shows gmail signed the > original message: > > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; > h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:conte > nt-type:references; > b=CQy5RMmQmeDJoDvXBSoE3v/YxxeBPc4IA6LVT/GgWBA2oLOCW3GXWm+u/I4MT2v8LxpcJj3ntc > 6F4bOTORFK7BTPZKPL/QzFEydGmzcpN/4MO+myrzc8GgDTCliPpNH0TvhdPunxVMHqSMSHaMkdJq > pXnHYohxyCQY/bmx5Mc/I= > > > Now notice this one that shows the signature failed after going through > full-disclosure: > > Authentication-Results: catbert.rellim.com from=zoidenator@...il.com; > domainkeys=fail (testing) > > Is there any way to get the list fixed so that DomainKeys signing is > not being corrupted? I know this is non-trivial but if we can't > figure it out then no mere mail admin has a chance.... > > It seems to me that gmail included the sbject in the resultant hash > and the [full-disclosure] tag added to the subject changes the hash. Yep -- you'd expect that to break DomainKeys... > Not sure what the proper workaround is, ... The "proper workaround" is to ignore DomainKeys. Even better, if you're in a position to setup further things that will break DomainKeys, the "proper workaround" is to setup those things too. >... but I think the mailing list > is supposed to rehash the whole thing. > > DomainKeys is not an RFC yet, but it will be soon. We gotta do > something about the flood of spam. My spamfilter caught 11k+ spam just > last weekend on just my persoanl account.... If you think DomainKeys has anything to do with spam then you clearly have no grip on what spam is, why we have it and the totally trivial "fix" the major spammers will make to totally subvert DomainKeys (and SPF and Sender ID and all other weak "authentication" methods suggested by morons who want to stop spam but have equally little grip as you on what spam is and why we have it). The list maintainer should be commended for running a service that shows one of the many weaknesses and stupidities of DomainKeys because doing so will hopefully make enough of the marginally sensible Email admins out there wary of supporting it, as widespread adoption of DomainKeys will just be a waste of time and mony _IF_ you are spending that time and money on it "because it will (help) stop spam". Regards, Nick FitzGerald
Powered by blists - more mailing lists