NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] "How a Google Headhunter's E-Mail Unraveled a Massive Net Security Hole" + my comments

"How a Google Headhunter's E-Mail Unraveled a Massive Net Security
Hole" + my comments
http://j.mp/QXdOnZ  (This message on Google+)

 - - -

http://j.mp/QXeppK  (Wired)

   "The problem lay with the DKIM key (DomainKeys Identified Mail) Google
    used for its google.com e-mails. DKIM involves a cryptographic key
    that domains use to sign e-mail originating from them - or passing
    through them - to validate to a recipient that the header information
    on an e-mail is correct and that the correspondence indeed came from
    the stated domain. When e-mail arrives at its destination, the
    receiving server can look up the public key through the sender's DNS
    records and verify the validity of the signature."

 - - -

Well, what appeared to be mail from a headhunter anyway.  But the
irony here is that DKIM is much less useful in preventing these kinds
of (spam-related, human engineering) attacks than might be thought,
since (a) most sites -- including legit ones -- don't routinely
support it, and (b) most email recipients are largely oblivious to any
associated warnings.  So, while DKIM indicating a problem with mail
from the citi.com domain might be noticed by some users running
compatible MUAs (Message User Agents), mail coming from a forged,
non-DKIM supporting domain like citi-banking.com would probably be
accepted as reasonable by many or most recipients.

Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
 - Network Neutrality Squad: http://www.nnsquad.org 
 - PRIVACY Forum: http://www.vortex.com/privacy-info
 - Data Wisdom Explorers League: http://www.dwel.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren 
Tel: +1 (818) 225-2800 / Skype: vortex.com
nnsquad mailing list