If someone tries some sort of man in the middle inline injection attack to pull this off, sure, I can see DKIM catching that. But the really really nasty bit is the assumption is that you (the target) are running an email client that automatically decrypts any inbound message and render's the HTML for display irregardless of the message source. I (the bad guy) grab an original encrypted message bound for you, (because I see it transit the network, or get access to your message store, or many other reasons) pull out the message body with the cyphertext, create a new multi-part (assuming we're talking about the direct attack) and send it to you as mailfrom: [email protected], dkim-domain: badplacehere.xyz, from: "PERSON YOU KNOW, FOR REALZ" <[email protected]>. You're tapping next next next in your email client, the client loads my message, sends me the decrypted text, and you scratch your head wondering why you got two copies of the message. Or even better, I setup my first body to just be something like innocent like "Hey, have any updates?" and then change the font size to zero, or text color to white or something like that... so you wouldn't even see the original message rendered.
On Tue, May 15, 2018 at 12:09 PM, John Levine <[email protected]> wrote: > In article <66d513ca-f33d-748b-e394-bceb6e1da525@spamtrap. > tnetconsulting.net> you write: > >-=-=-=-=-=- > > > >On 05/15/2018 08:15 AM, Kurt Andersen wrote: > >> Manipulating MIME structures in email messages to expose the encrypted > >> content: https://efail.de/ > > > >DKIM will not help protect against #Efail. > > > >Efail works by copying ciphertext into a new message and arranging for > >the client to decrypt it. Said new message is devoid of any association > >with DKIM. > > I suppose, for the 10 seconds from the time the message is created > until the attacker's MTA signs it on the way out. The bad guy can put > a return address he controls on the malicious message and make the > whole thing DMARC compliant. > > R's, > John > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc > -- PAUL ROCK *Sr Software Dev Engineer* | AOL Mail P: 703-265-5734 | C: 703-980-8380 AIM: paulsrock 22070 Broderick Dr.| Dulles, VA | 20166-9305
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
