Friday, 26 October 2012

Google, Yahoo, and Microsoft busted using weak cryptographic keys.

Trust nobody.

Ok, you can trust us. But really, sometimes it feels like even the best security just isn't enough. And sometimes, even the most trusted companies cut corners.

On Wednesday, a mathematician named Zachary Harris found that Google, Yahoo and Microsoft were using shoddy security measures in their email clients. As it turns out, all three companies were using keys less than 1,024 bits in length in their DomainKeys Identified Mail (DKIM) mechanism (Google was using a 512 bit key).

DKIM keys are used by domains as certificates to verify to mail recipients that the mail is indeed from who it claims to be. Think of it as a really complicated digital signature. Were someone to crack the key, they could easily impersonate anyone from the domain. In this case, the hacker could impersonate anyone at Google.

Harris discovered the security flaw last December when he received an email from a Google headhunter. 
Harris was intrigued, but skeptical. The e-mail had come to him last December completely out of the blue, and as a mathematician, he didn’t seem the likeliest candidate for the job Google was pitching. 
So he wondered if the e-mail might have been spoofed – something sent from a scammer to appear to come from the search giant. But when Harris examined the e-mail’s header information, it all seemed legitimate. [Wired] 
But then Harris saw Google was using week cryptographic key to sign their emails -- only 512 bit.
Harris thought there was no way Google would be so careless, so he concluded it must be a sly recruiting test to see if job applicants would spot the vulnerability. Perhaps the recruiter was in on the game; or perhaps it was set up by Google’s tech team behind the scenes, with recruiters as unwitting accomplices.
Google never got back to Harris, but two days after he contacted them, the cryptographic keys were switched to 2,048 bit. Yahoo and Microsoft have followed suit.

Harris also reported that other companies including Ebay, Twitter, Paypal and HSBC are using weak keys.

No comments:

Post a comment