Email Signature Holes Fixed

Tuesday, October 30, 2012 @ 08:10 AM gHale

Google, Yahoo and Microsoft fixed a hole in their email-signing mechanisms that made it possible for people to spoof messages coming from their systems.

The problem was they were using keys of less than 1,024 bits in length in their implementations of the DomainKeys Identified Mail (DKIM) mechanism.

Weak Crypto Keys Fixed
Windows Help Files an Attack Vector
Apple ID Phishing Scam
Phishing Attacks Elevate

While some security experts say even 1,024-bit RSA keys are easy to crack, the shorter keys are definitely too insecure for serious use these days, as the computational power available in the cloud makes it relatively easy to crack them by brute force.

According to a US-CERT note released on Wednesday, Google, Microsoft and Yahoo were all using too-short RSA signing keys, and all three vendors have now fixed the problem.

The vulnerability first came to light from a mathematician named Zachary Harris, who received an email purporting to come from a Google headhunter. The email’s header information, which proves who sent it, apparently looked in order, but Harris noticed that a weak DKIM key was in play.

Harris was able to crack the key and emailed Google founders Larry Page and Sergey Brin, thinking this may have been an elaborate recruitment test. He got no reply, but saw that Google subsequently started using 2,048-bit keys.

Harris also said other companies such as eBay and Twitter are using 512-bit keys, and financial services such as PayPal and HSBC are using only 768-bit keys.

According to the US-CERT note, “system administrators should replace all RSA signing keys fewer than 1,024 bits and configure their systems to not use or allow testing mode on production servers.”

Leave a Reply

You must be logged in to post a comment.