[ietf-dkim] ISSUE: 4871bis-02 - Section 8.14 comments
Charles Lindsey
chl at clerew.man.ac.uk
Mon Oct 18 04:15:48 PDT 2010
On Fri, 15 Oct 2010 17:47:24 +0100, Jim Fenton <fenton at cisco.com> wrote:
> On 10/15/10 6:06 AM, Charles Lindsey wrote:
>> I don't quite see what an attacker can usefully do by modifying messages
>> in transit. If they message was already signed (say by ebay), then the
>> attacker must somehow get ebay to sign a message with a useful (to him)
>> text in its body. So what is the benefit to him of making it appear
>> From:
>> someone who is not Ebay (except maybe to ensure that replies get sent to
>> him - since I assume that MUAs that only display the first header will
>> also Reply-To that header)?
>
> An attacker could compose a message from some other domain with a good
> reputation, and add a From header indicating it's really authored by
> someone at a different domain (say by ebay). Even if ebay has an ADSP
> record, it's possible that the invisible (originally) From address
> would be used to in the author signature check, which would pass.
Exactly so, but that does not involve any "modifying messages in transit",
and people seem to be fixated on "modifying in transit" and on "replay
attacks", whereas the nastiest scams do not, AFAICS, involve either of
those. That was why I asked the question, and I have not seen a really
satisfactory answer to it yet.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-dkim
mailing list