Thursday, October 25, 2012

Google, Microsoft and Yahoo fix serious vulnerabilities in the mail system

Operators of the popular e-mail systems Google, Microsoft and Yahoo at the same time eliminate the vulnerabilities in their server software that allows you to bypass security algorithm verification. This allows potential attackers to exploit the weakest element of the cryptosystem and generate fake messages.

The vulnerability affects DKIM or DomainKeys Identified Mail, which in addition to Google, Yahoo and Microsoft is used by many other mail servers. DKIM provides cryptographic envelope the letter, which verifies the domain name through which a letter that allows you to discard messages with forged addresses (spam) and miss legitimate messages.

The problem was related to the signature key length of 1024 bits. Forge such keys can be on a PC. In the US-Cert report that they were able to recreate the 1024 - and 768-bit keys for RSA-signature. Experts say that in this respect the situation is the worst situation was in the system of Google, which used a 512-bit keys. Independent experts say that they were able to create a fake email claiming to be from a person, Larry Page and Sergey Brin, and run them through DKIM, applied in Google Gmail.

The developers say that the system is a fake DKIM-key infrastructure is a major issue in which can be compromised by many email systems. During further studies showed that this method can be avoided in the DKIM email systems PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, and HSBC.

In practice, this system allows the sender and forge flag fraudulent conduct targeted attacks on corporate users, who believe that their email system is protected.

Related links:

No comments:

Post a Comment