Re: [mailop] (Mis)use of DKIM's length tag and it's impact on DMARC and BIMI

Fri, 09 Aug 2024 11:34:55 -0700

I'm thrilled to hear that you're interested in contributing to open source projects!
I don't use this library (sad face) But you can help tons of people by being a contributing member. 

Log in and start contributing?


The Debian teams that support OpenDKIM have a structured hierarchy and 
additional information available at; 
https://wiki.debian.org/Teams/DebianWiki


If you need more assistance to contribution, I would use those resources.

--


Getting someone else to publish your suggestions, is another topic of 
discussion.


--


Best of luck, Richard! I look forward to seeing your contributions 
reflected in future changelogs.



Here's to amazing and talented people like you who are eager to looking 
"how to" contribute.


--

Keith


On 8/9/2024 4:49 AM, Richard Hector via mailop wrote:

On 18/05/24 02:12, Taavi Eomäe via mailop wrote:

Hi!


As part of coordinated disclosure, I am sharing it here as well. In 
short, using the approach described below, attackers can replace the 
entire contents of a letter, in a way the letters still pass DKIM’s 
cryptographic checks. This also means these forged letters can be 
easily replayed to reach their victims. This subverts many of the 
expectations operators have about DKIM signatures, DMARC and BIMI.



Although some of these dangers have been known for a while (some 
parts are even described in the RFC itself), things like the threat 
landscape, our approach and the extent to which this can be abused 
have changed. In our opinion previously suggested and (rarely) 
implemented mitigations do not reduce these risks sufficiently.



We hope that with some cooperation from mail operators improved 
defense measures can be implemented to strengthen DKIM for everyone.




A longer description with images is available here: 
https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/


Hi,

Sorry for the resurrection of an old thread.


I recently set up DKIM, partly using https://wiki.debian.org/opendkim 
as my reference. That seems to suggest using l=, so that's what I did ...



If it's not good advice, perhaps someone more familiar with the 
subject than I am could update the Debian wiki?


Cheers,
Richard

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop























					Reply via email to