> On Mar 4, 2024, at 11:07 PM, Chuhan Wang <wc...@mails.tsinghua.edu.cn> wrote:
>
>
> Hi Douglas,
>
> Thank you for your insightful summary of our paper. I'd like to share some of
> my opinions.
>
> You mentioned clients lose control of their SPF integrity. It's one of the
> key problems exactly. Clients host their email services on email providers.
> They are required to include email providers' SPF records in their SPF
> records. However, the centralization of SPF deployment magnifies SPF
> vulnerabilities. Our results show that when the email provider is vulnerable,
> a single vulnerable SPF record can influence more than 10,000 domains, which
> actually violates the assumption of SPF that domains can be distinguished by
> IP addresses.
>
> The reliance on IP addresses for sender authentication, a model that might
> have seemed reasonable 20 years ago, has now proven to be inadequate in
> today's situation. The centralized deployment of SPF, driven by centralized
> email services, has only exacerbated the vulnerabilities inherent in this
> trust model. The cascading effects of a single vulnerable SPF record
> affecting thousands of domains highlight the fragility of our current email
> authentication chain.
>
> It's also worth noting that a similar centralization phenomenon also exists
> in the deployment of DKIM (e.g., shared DKIM keys), based on our previous
> research published in the USENIX Security 2022.
> https://www.usenix.org/conference/usenixsecurity22/presentation/wang-chuhan
>
> Based on the current status of SPF deployment, maybe it's time for us to
> shift the trust model and explore better approaches to address email
> authentication issues.
>
> Chuhan Wang
> Tsinghua University
Sir, I was wondering if you could provide a short, concise proposal to mitigate
this problem? Perhaps how you might introduce a student to a new concept.
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
