http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/ By Kim Zetter Threat Level Wired.com 10.24.12 It was a strange e-mail, coming from a job recruiter at Google, asking Zachary Harris if he was interested in a position as a site-reliability engineer. “You obviously have a passion for Linux and programming,” the e-mail from the Google recruiter read. “I wanted to see if you are open to confidentially exploring opportunities with Google?” Harris was intrigued, but skeptical. The e-mail had come to him last December completely out of the blue, and as a mathematician, he didn’t seem the likeliest candidate for the job Google was pitching. So he wondered if the e-mail might have been spoofed – something sent from a scammer to appear to come from the search giant. But when Harris examined the e-mail’s header information, it all seemed legitimate. Then he noticed something strange. Google was using a weak cryptographic key to certify to recipients that its correspondence came from a legitimate Google corporate domain. Anyone who cracked the key could use it to impersonate an e-mail sender from Google, including Google founders Sergey Brin and Larry Page. The problem lay with the DKIM key (DomainKeys Identified Mail) Google used for its google.com e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the domain in the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender’s DNS records and verify the validity of the signature. [...] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.orgReceived on Thu Oct 25 2012 - 00:13:53 PDT
This archive was generated by hypermail 2.2.0 : Thu Oct 25 2012 - 00:05:41 PDT