Google hardens DKIM after founders served spoofed Gmail

By

Weak crypto ditched.

Google has tightened up Gmail security after a researcher successfully spoofed emails to the company founders Sergey Brin and Larry Page.

Google hardens DKIM after founders served spoofed Gmail

Mathematician Zachary Harris used a flaw in Google's implementation of the DomainKeys Identified Mail (DKIM) standard to send emails to Brin and Page which were purportedly from each other, technology publication Wired said on Tuesday.

DKIM is a security standard that is designed to mitigate phishing and other spoofing attacks by cryptographically associating a domain name with an email message.

Google had used a weak 512-bit key to sign emails from a legitimate corporate domain, rather than the recommended key length of 1,024 bits proposed in RFC 6376.

Harris cracked the Google key using Amazon Web Services cloud computing at a cost of US$75. Google is now using stronger DKIM keys, a Google spokeswoman told Wired.

A number of organisations are still using weak DKIM keys, leaving themselves open to phishing attack, US-Cert warned in an advisory, adding that organisations should revoke and replace DKIM keys that are less than 1024 bits, said US-Cert.

Google had not responded to a request for comment at the time of writing.

This article originally appeared at scmagazineuk.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?