Comment 4 for bug 643223
Revision history for this message
| Martin Pool (mbp) wrote Re: [Bug 643223] Re: should accept dkim based on from address and signing address belonging to the same person | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I'm fine with only doing the first case, ie checking both From and
Sender are validated addresses for the same account.
On 20 September 2010 16:41, Scott Kitterman <email address hidden> wrote:
> You want to limit DKIM to cases where the signing domain (d=) matches
> the From domain in the body of the message. Looking at Sender and
> ignoring From puts the identity precedence backwards. It is not unheard
> of for mailing lists to add a sender header and for mailing lists to add
> DKIM signatures. If there were a mailing list hosted under the domain
> in question, relying on Sender might allow malicious commands to be
> authenticated:
>
> 1. Sign up for mailing list on target domain.
> 2. Send message to mailing list (LP won't get this because it's not subscribed).
> 3. Collect message plus signature from mailing list.
> 4. Replay message with rcpt to LP.
> 5. Profit.
>
> Keep in mind that envelope identities like rcpt to are not bound to DKIM
> signatures and so replay like this is trivial. It's not currently done
> because it's not valuable to do so. Please don't make it valuable to do
> so.
I don't see the vulnerability in this example. I think this would
mean there was a message with Sender: <email address hidden> From:
<email address hidden>, with both fields signed by example.com.
This is only a problem if Impersonated has already, through the web
ui, added <email address hidden> as one of their email addresses?
--
Martin