On Fri, May 17, 2024 at 1:07 PM John Levine via mailop <mailop@mailop.org> wrote:
> It appears that Taavi Eomäe via mailop <ta...@zone.ee> said: > >-=-=-=-=-=- > >-=-=-=-=-=- > >Hi! > > > >As part of coordinated disclosure, I am sharing it here as well. In > >short, using the approach described below, attackers can replace the > >entire contents of a letter, in a way the letters still pass DKIM’s > >cryptographic checks. ... > > There is nothing whatsoever new here. > > We knew l= was a bad idea when we published it, and that you could do > all sorts of naughty things by adding or fiddling with MIME parts. > Some loud people insisted that it would solve the mailing list > problem, which of course it didn't, but we're stuck with it now. > > I suppose it couldn't hurt to remind people that using l= is a bad > idea but if they haven't already gotten the memo sometime in the past > decade, I wouldn't hold my breath. > I guess the part that's new to me is the apparent widespread (enough) use of the l= parameter. I don't recall ever noticing its use before, though can't say it was ever top of mind when looking at various headers of messages. The example in the post of someone using l=1 really sounds like a workaround for receivers requiring DKIM signing but senders having fear of messages getting modified and rejected. I am both in awe at the hacker make it work ethos displayed as well as the complete disregard for authentication. I'm curious what mitigation gmail deployed short of just ignoring the l= value entirely, which would be my impulse though depending on how widespread it might require an annoying amount of outreach and rollout time to force correction. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
