Google hardens DKIM after founders served spoofed Gmail

By on
Google hardens DKIM after founders served spoofed Gmail

Weak crypto ditched.

Google has tightened up Gmail security after a researcher successfully spoofed emails to the company founders Sergey Brin and Larry Page.

Mathematician Zachary Harris used a flaw in Google's implementation of the DomainKeys Identified Mail (DKIM) standard to send emails to Brin and Page which were purportedly from each other, technology publication Wired said on Tuesday.

DKIM is a security standard that is designed to mitigate phishing and other spoofing attacks by cryptographically associating a domain name with an email message.

Google had used a weak 512-bit key to sign emails from a legitimate corporate domain, rather than the recommended key length of 1,024 bits proposed in RFC 6376.

Harris cracked the Google key using Amazon Web Services cloud computing at a cost of US$75. Google is now using stronger DKIM keys, a Google spokeswoman told Wired.

A number of organisations are still using weak DKIM keys, leaving themselves open to phishing attack, US-Cert warned in an advisory, adding that organisations should revoke and replace DKIM keys that are less than 1024 bits, said US-Cert.

Google had not responded to a request for comment at the time of writing.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, UK edition

Most Read Articles

Log In

  |  Forgot your password?