Re: [dmarc-ietf] Good paper analyzing inter-component flaws in email security

[John Levine]

In article  
you write:
>-=-=-=-=-=-
>
>It would be worthwhile for everyone in the group to read through
>https://www.usenix.org/conference/usenixsecurity20/presentation/chen-jianjun
>as they analyze implementation flaws that allow attacks against DMARC in
>existing implementations.

They found some interesting and unlikely implementation bugs but I
didn't see anything that looked like a design problem.

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] Good paper analyzing inter-component flaws in email security

[Jim Fenton]

On 8/14/20 12:16 PM, Dotzero wrote:
>
>
> On Fri, Aug 14, 2020 at 10:59 AM Kurt Andersen (b)  > wrote:
>
> It would be worthwhile for everyone in the group to read
> through 
> https://www.usenix.org/conference/usenixsecurity20/presentation/chen-jianjun
> as they analyze implementation flaws that allow attacks against
> DMARC in existing implementations.
>
> The paper should be publicly accessible now since the conference
> is in progress. There's also a slide deck with a summarized set of
> results from their study.
>
> --Kurt
>
>
> Did a first look at the slide deck. Some interesting stuff. Some is
> clearly interoperability and should be considered by the working
> group. Some is DMARC/DKIM/SPF implementation issues and some like the
> display name is intractable. As someone suggested to me today, it
> would be incredibly useful to disambiguate the Display Name from the
> From email address for anti-abuse purposes but my feeling is a) that
> is something for the email core group (not this group) and b) there
> would be incredible pushback against such an effort.
>
Agreed. I watched the presentation this morning and he points out a
number of likely implementation issues that are worth evaluating.
Haven't had a chance to read the paper in detail yet.

But he doesn't seem to have considered primarily cases where the From
email address is presented to and evaluated by the user. He largely
ignores MUAs that show only the friendly name and research showing that
even if displayed, it is frequently ignored.

-Jim

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] Good paper analyzing inter-component flaws in email security

[Dotzero]

On Fri, Aug 14, 2020 at 10:59 AM Kurt Andersen (b)  wrote:

> It would be worthwhile for everyone in the group to read through
> https://www.usenix.org/conference/usenixsecurity20/presentation/chen-jianjun
> as they analyze implementation flaws that allow attacks against DMARC in
> existing implementations.
>
> The paper should be publicly accessible now since the conference is in
> progress. There's also a slide deck with a summarized set of results from
> their study.
>
> --Kurt
>

Did a first look at the slide deck. Some interesting stuff. Some is clearly
interoperability and should be considered by the working group. Some is
DMARC/DKIM/SPF implementation issues and some like the display name is
intractable. As someone suggested to me today, it would be incredibly
useful to disambiguate the Display Name from the From email address for
anti-abuse purposes but my feeling is a) that is something for the email
core group (not this group) and b) there would be incredible pushback
against such an effort.

Michael Hammer
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

[dmarc-ietf] Good paper analyzing inter-component flaws in email security

[Kurt Andersen (b)]

It would be worthwhile for everyone in the group to read through
https://www.usenix.org/conference/usenixsecurity20/presentation/chen-jianjun
as they analyze implementation flaws that allow attacks against DMARC in
existing implementations.

The paper should be publicly accessible now since the conference is in
progress. There's also a slide deck with a summarized set of results from
their study.

--Kurt
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc