Hi DKIM folks, As many of you know there was a DKIM security vulnerability disclosure Friday around the signature header body length tag "l=". The blog post is here: https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/ The authors state that an adversary can append a malicious footer to a message with DKIM w/body length, then rewrite the Content-type header mime delimitter, that will cause the apparent body to be that of the footer but will authenticate as the original DKIM signature. This enables spoofing the original sender's identity, hence can spoof DMARC and BIMI but with a malicious message body. DKIM RFC6376 section 8.2 <http:///> already describes this problem, which the authors acknowledge, but according to them what is new is that there actually is mail traffic with DKIM-Signature w/body length which includes Fortune 500 companies.
Others have noted that the amount of traffic using DKIM w/body length is small, and from where I sit in Gmail I would agree. However I also agree with the blog post authors based on that same data that many of the impacted domains are systemically important email senders that really should be paying attention to the RFC section 8.2 and their email security much more carefully. Some of the names are mentioned in the blog post and that should be sufficient to convince everyone of the risk. I would argue that the body length feature in DKIM represents a significant spoofing hence security risk and that it must be discouraged to the extent possible. The standards community can help by deprecating the body length tag "l=" from the DKIM RFC. Dave Crocker mentioned that there is a pathway to do a narrow update to the RFC6376 as an individual submission. I agree that it is a good idea as hopefully a narrow update can be done relatively quickly. I understand that body length "l=" was meant to help DKIM tolerate adding a footer that a mailing list might do and that there is pressure from the DMARC world to think about this. Perhaps that still can be done except in a better secure way, and that work could be a separate document to permit it time to figure out how to do it. One idea is to have the forwarder sign with an ARC Message-Signature and would take ownership of the new message. The forwarder would describe the offsets to recover the original body length and some receiver can validate the original DKIM signature. Those offsets will also describe the forwarder's contribution to the message. There would also be problems around secure footer modification of Content-type header that are unsolved e.g. what to do if Content-type is oversigned. All this work might be good candidates for the newly chartered Mailmaint WG. -Wei
_______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
