|
|
|
|
|
|
by geocar
5846 days ago
|
|
|
There are several ways to defeat DKIM here: • If you can break DNS, you can get an NXDOMAIN reply, making recipients think there aren't any domainkeys • If the domainkey private key is small, you can factor it. There's an article on HN's frontpage right now about this. • If the server uses domainkeys, but it doesn't specifically verify the From: header, an attacker can still forge a message if they share a popular mail provider with their target. I don't know if this is still practical. • Stupidity. DKIM is difficult to test, and as a security measure it would need to be tested. An autoreponse confirmation would be immune to all of these attacks and would be trivial to implement correctly. |
|
|