Re: [ietf-dkim] SSP = FAILURE DETECTION

Tue, 12 Sep 2006 10:06:09 -0700 

----- Original Message -----
From: "Wietse Venema" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Tuesday, September 12, 2006 12:22 PM
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION


>>>What was the advantage of SSP with look-alike domains?
>>>
>> To find large unproductive ratholes?  Neither DKIM or SSP claim
>> to have any direct effect on look-alike domain names, and
>> there's nothing in our
>
> DKIM_BASE allows a recipient to distinguish mail from the bank from
> look-alike mail that pretends to be from the bank.  That information
> comes in the form of the signing domain.
>
> SSP has an advantage when we assume that criminals are stupid enough
> to keep sending forged mail. It has no advantage with look-alike
> attacks. Guess what criminals will do.

hmmmmmmmmm,  unless I didn't follow you right, I fail to see the distinction
or your point.

Scenario #1 - No Phishing in 2822.From,  Phishing in signing domain. NO SSP
defined.

  From: [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Subject: Your Account Info
  DKIM-Signature: d=paypa1.com; s=sept06;  <-- valid 3PS

Here, the 3PS is valid using a look-alike domain (character one is used
instead of el). The x822.From is really paypal.com and no SSP is defined.
The result in a NO SSP enviroment is a VALID message with the awful
possibility some stupid Presentatation software will say:

   * Good Signature from [EMAIL PROTECTED] signed by
     paypa1.com

Scenario #2 - Phishing in 2822.From, Phishing in signing domain.

  From: [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Subject: Your Account Info
  DKIM-Signature: d=paypa1.com; s=sept06;  <-- valid 3PS

Here, the 3PS is valid using a look-alike domain (character one is used
instead of el).  The x822.From is also phished. The bad guy can have NO SSP
or a SSP with an designated allow list for paypa1.com

So I don't see the how it matters.

But I will say that if PAYPAL.COM (the real domain) used SSP in scenario #1,
then at the very least, the real domain is protected against a phished
signing domain when using SSP.  So to me, SSP still has the advantage over a
DKIM-BASE only environment.

SSP can protect against a PHISHED DKIM-BASE SIGNATURE.  A  slight
distinction over a phished 2822.From domain.  In short, the bad guy would
have to phish both domains  - the authors and the signing domain.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com








_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

Reply via email to