It appears that Wei Chuang <wei...@google.com> said: >-=-=-=-=-=- > >Hi DKIM folks, >As many of you know there was a DKIM security vulnerability disclosure >Friday around the signature header body length tag "l=". The blog post is >here: https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/ >The authors state that an adversary can append a malicious footer to a >message with DKIM w/body length, then rewrite the Content-type header mime >delimitter, that will cause the apparent body to be that of the footer but >will authenticate as the original DKIM signature.
This exact attack is described on page 41 of RFC 6376: If the "l=" signature tag is in use (see Section 3.5), the Content- Type field is also a candidate for being included as it could be replaced in a way that causes completely different content to be rendered to the receiving user. There really is nothing whatsoever new here. I agree that it would be a good idea to discourage people from using the l= tag but first I am trying to talk to the few places that send me l= mail and see if I can figure out why they do it. R's, John _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
