On Mon, May 20, 2024 at 5:29 PM John Levine <[email protected]> wrote:
> It appears that Wei Chuang <[email protected]> said: > >-=-=-=-=-=- > > > >Hi DKIM folks, > >As many of you know there was a DKIM security vulnerability disclosure > >Friday around the signature header body length tag "l=". The blog post is > >here: https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/ > >The authors state that an adversary can append a malicious footer to a > >message with DKIM w/body length, then rewrite the Content-type header mime > >delimitter, that will cause the apparent body to be that of the footer but > >will authenticate as the original DKIM signature. > > This exact attack is described on page 41 of RFC 6376: > > If the "l=" signature tag is in use (see Section 3.5), the Content- > Type field is also a candidate for being included as it could be > replaced in a way that causes completely different content to be > rendered to the receiving user. > > There really is nothing whatsoever new here. > > I agree that it would be a good idea to discourage people from using > the l= tag but first I am trying to talk to the few places that send > me l= mail and see if I can figure out why they do it. > > As the blog post authors state, the new thing is that folks are using DKIM with body length "l=" tag. I too was surprised to see data supporting what the author wrote, that many many senders are signing DKIM with body length. While small in overall traffic volume, they are a diverse group with many Fortune 500 companies and others with significant infrastructure responsibilities that send messages with DKIM with body length. Over the last 7 days there are 71048 distinct domains that had at least one passing DKIM signature with body length. There is a long tail of senders with just a few messages of their overall traffic volume which masks their usage, but many also send the majority of their traffic signed with body length and thus much more easily found. -Wei
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
