So the author's central thesis essentially seems to boil down to that leaked emails were able to be cryptographically verified, because of DKIM and so we should prevent that so people can't use email to blackmail politicians? Ultimately I prefer the more information that we can get on politicians available.
It seems to me that especially when an elected official has something they don't want others to know about that it should be public knowledge.
After all an efficient marketplace only is efficient if all actors have access to as much information as possible.
EDIT: As a follow up, several people point out that it could happen to me or a family member, but this seems even further reason to have DKIM so that if someone attempts to blackmail me based on the contents of my email, checking the DKIM signature makes it even easier to disprove a bad blackmail attempt.
Why is this argument not equivalent to the much-derided “nothing to hide” or “ban encryption by law” arguments?
The way to have transparency into politician’s communications is to require them by law to be made public, and to use law enforcement to make sure that this actually happens. It seems that relying on information going over email (as opposed to eg signal), and getting hacked (perhaps you want it all hacked, perhaps you are more happy while it is the side you don’t like getting hacked, either way I think one must acknowledge that by focusing on what is hacked, one is granting those hackers great control of the narrative) is not really very useful.
> So the author's central thesis essentially seems to boil down to that leaked emails were able to be cryptographically verified, because of DKIM and so we should prevent that so people can't use email to blackmail politicians? Ultimately I prefer the more information that we can get on politicians available.
I don't think Matthew Green is arguing against transparency. What he's observing is that non-repudiation is an unintentional byproduct of DKIM's design. Because it's a byproduct, DKIM's users have made implementation decisions that make it susceptible to weaknesses in the unintentional non-repudiation property.
By 2030, a motivated nation state will probably have the ability to crack the 2048-bit RSA keys that Google is currently using for DKIM. Do you really want someone in 2031 to be able to contrive fake signatures for the emails of politicians in 2021?
DKIM was not designed to authenticate emails far into the future.
In fact, it does not authenticate any emails without a corresponding public key currently published to DNS. It provides specifically for "empty" or revoked keys to avoid such retro-validation.
Seems the central thesis is that because these messages are patently no longer authenticated by DKIM, we should eliminate any remaining hope of them being construed as authenticated by DKIM.
I am not a lawyer, but I do not believe that DKIM provides repudiation specific to an individual. DKIM provides evidence that email originated on an email provider. The users neither own nor control the server and user accounts get compromised all the time as well as fake accounts created all the time. Google battles this daily. DKIM might be one piece of information, used in combination with a client IP address and some method of proving who was at that client IP address at the time, but I do not believe that DKIM could stand on its own.
For example, I have servers that DKIM sign emails. If a person uses my servers to send a death threat, the FBI is going to want web access logs and smtp logs.
> So the author's central thesis essentially seems to boil down to that leaked emails were able to be cryptographically verified, because of DKIM and so we should prevent that so people can't use email to blackmail politicians? Ultimately I prefer the more information that we can get on politicians available.
No matter what you think about politicians, it is a failure of cryptography, or perhaps our common application of it, that the signatures we use to assure our conversation partner of our identity can also be used for our conversation partner (or divers third parties) to prove what we said.
Compare https://en.wikipedia.org/wiki/Off-the-Record_Messaging which solved this problem quite a few years ago. Off-the-Record Messaging allows your conversation partner to know that they are talking to the real you, but does not empower them to prove that to anyone else.
Checking the DKIM key doesn't prove anything with certainty - the keys could have been leaked or stolen, or the mail server hacked. Or, the operator of the mail server could even forge the message. Many possibilities.
The purpose of DKIM is to help prevent spam, not to verify the authenticity of the sender.
If a nation state adversary has hacked the DKIM keys from your email server, they can send fake emails signed with this key. So it doesn't prove that a high value target like a presidential candidate has actually typed and pressed send on that email, it just proves that the first SMTP server that routed the email has sent it.
Even google didn't bother to rotate their DKIM keys as recommended by the standard, so one wonders if the google keys are stored in a cage guarded by lasers and dogs or if there are copies on someones laptop somewhere and any sysadmin with a gambling problem or a secret affair could have leaked them to an unscrupulous journalist or a spy.
> As a follow up, several people point out that it could happen to me or a family member, but this seems even further reason to have DKIM so that if someone attempts to blackmail me based on the contents of my email, checking the DKIM signature makes it even easier to disprove a bad blackmail attempt.
I think his point is that the DKIM signatures could be used to verify that you did, in fact, send something worth being blackmailed over, rather than having the plausable deniability of saying that your DKIM private key from that period is already public and thus could be forged.
Which, to me, sounds similar to the classic XKCD "Theoretically, I use 2048bit RSA encryption and the hackers can't get my data. In Reality, they just beat me with a hammer until I give up the password." Maybe a public DKIM argument would hold up in court, but if we're just talking reputation blackmail among family and friends, it aint it chief.
Hey Google. Please never do this. This would throw thousands of evidence about how Erdogan regime worked with terror organisations, including the e-mails that tried to ban social media to stop these evidences be available to public. And also how they declared innocent people as terror organisations with some companies that offered law support. For example, this one https://wikileaks.org/berats-box/emailid/35540 especially verifies a crime - Turkish Airlines Nigeria Weapon transfer as it marks the event as "Government Secret"; The evidence that they talk on this e-mail involves a call where the ministers talk "I don't know if they will use it to kill Muslims or Christians".
That specific e-mail does not have DKIM signature (maybe because it was sent his own gmail address? or to an gmail address in general?).
I am aware that even if they publish the DKIM secrets, these e-mail will not lose any value since these e-mails was posted before the secrets.
But I think using e-mails as evidence should be a thing in general. As you could receive them to your personal e-mail server and want to authenticate and use it on a court, even years after. If they publish the keys, it would not be possible as you could be the one who forged the e-mail as it were received from somebody else and has been put to your IMAP server manually.
I know threads change over time, and it's dangerous to write a comment in response to the perceived gestalt of an HN thread, but, I have to say, it's pretty wild reading a thread on this site arguing so strenuously against the premise of secure messaging.
In messaging cryptography, non-repudiability has for almost 2 decades been considered a vulnerability, not a feature. The OTR protocol[1] takes the step of publishing its used MAC keys --- it releases private key material! --- to ensure that random people can forge messages once participants have authenticated them. Signal came up with a novel deniable AKE[1] that is one of the more famous parts of the protocol; by design, you can forge a Signal conversation from someone's private key even if you've never talked to them before.†
When you think about it in the abstract, it's easy to understand what's going on, even if you don't take the time to read the OTR paper. Once counterparties have authenticated each others messages, authentication has served its purpose. To allow a stranger to authenticate a messages is to concede information to them, and avoiding concessions is the point of messaging cryptography.
If you believe non-repudiable messages are necessary for public policy, it's hard for me to understand how you'd support the rest of secure messaging. Most secure messengers also have "disappearing messages", which have an even more powerful impact on the public's ability to read your (or some disfavored other's) messages. In fact, keeping the public from reading stuff is... kind of the obvious point?
Maybe it's just email, and the belief that email should not just be insecure, but be deliberately insecure? But, you all get how weird it is for me to read that after getting yelled at for writing a blog post about avoiding secure email, right? 547 comments[3]! Many of them very angry!
† I'm always looking for this triple-DH blog post and never able to find it, because it doesn't contai the word "triple", and it never occurs to me to search for "deniable", only "repudiability" (which also doesn't occur in the blog post) so I guess I can thank this thread for fixing my bookmark.
It's easy to see why there are divided opinions on this. When someone sends an email, the recipient often wants to be able to prove that they did so. We think of email as something capable of leaving a paper trail, proof that certain people sent certain emails. It's reasonable for secure messaging to want to fill a different niche, more like private conversation. I've seen messaging apps advertised on the basis that they will delete all messages after a certain time, making them basically equivalent to talking to someone, in terms of non-repudiation and being ephemeral by default. But people frequently want email to be more like letter writing than private conversation. The tradition with letters was to sign your letters to prove that you sent them. People talk about having a certain thing "in writing", so that they can use it in litigation. Insofar as email is supposed to fill that niche, its reasonable to expect it to provide repudiable messaging.
I think the reason there's so much controversy about this post is because it was written in the context of a recent political controversy around which tribes have formed unusually strong opinions. It's hard to have a quality technical discussion when so many of the participants are being driven more by tribal emotions than by rational discussion.
> To allow a stranger to authenticate a messages is to concede information to them, and avoiding concessions is the point of messaging cryptography.
Whilst I agree with you that email messages should be repudiable , I have a feeling you're trying to pass something off as axiomatic that isn't. For example isn't a confidential business agreement basically exactly, by design, an authenticated non-repudiable message that can be authenticated by third parties (such as courts)?
Has this kind of repudiation ever been tested in the real world? It's hard to imagine a court throwing out email evidence because it lacked a DKIM signature. And on a personal level seeing a chat transcript that had cryptographic non-repudiation would make me likely to believe it, but seeing one that lacked it would probably not weigh heavily in how I came to that determination.
The problem of deniability and "disavowing keys" is subjective and requires technical skill to understand,
that average person will not find this "equalization of legit and forged data" intuitive and will believe that keys/signatures/encryption on content adds authenticity on equal level with "legit data" - instead of "repudiation" you have a 'weak proof of authenticity' that could be disproved later(the burden of proof shift here is important psychologically since keys/encryption are perceived as legitimizing content).
Email fills a different niche than secure messaging protocols though. Email has come to be used much like mail, including for legal purposes. Non-repudiation is actually a useful feature for a lot of those use-cases.
Obviously the conflation of a bunch of different use-cases into this one protocol is a problem, but I don't know that just making email more secure is a solution.
Non-repudiation is of course a needed property for many systems, but it is not a property a system, especially an everyday messaging system like email, should have by accident - even "weak" non-repudiation such as DKIM. It is a violation of privacy. The suggestion the author makes of course doesn't completely get rid of it, but at least makes it time-limited.
Excuse my ignorance but how does someone else signing my message prove that I sent the message? Moreso if the body of the message is not being signed at all?
On one hand we have the Utilitarianist view of security. If increased security results in "more good" than evil, it is inherently ethical and thus acceptable. In this view, the idea that a good person may be blackmailed is perfectly acceptable, as long as it exposes political malfeasance.
On the other hand there's the Kantian view. If you have to lie, it it hurts someone, or it wouldn't work if it applied to everyone, then it's unethical. This doesn't seem to work at all, because we have to allow lying (non-repudiation). But non-repudiation could prevent someone from being hurt. And applying it to everyone would allow for the least harm, rather than the most good.
In the end Utilitarianism usually reigns because it's easier. But it does ignore the edge cases, which we should consider. Perhaps the way forward is not to pick one or the other, but actually re-make the world to embrace the good and avoid the bad. Sadly, that's probably the most difficult choice of all; when's the last time we replaced a working standard just because it had crappy outcomes?
The problem with the author's paper is that his assumption (and that of, apparently, media organizations, Wikileaks, and others) of DKIM "ensuring non-repudiation of emails" is simply wrong.
>DKIM provides a life-long guarantee of email authenticity that anyone can use to cryptographically verify the authenticity of stolen emails, even years after they were sent.
No, it doesn't. It simply offers an assurance that, at around the time of sending, a given email was mostly likely sent from the server that signed it. It can't prove _anything_ about who actually sent it, because it can't guarantee the ownership of the email account.
>For better or for worse, the DKIM authenticity stamp has been widely used by the press, primarily in the context of political email hacks. It’s real, it’s important, and it’s meaningful.
There's no _better_ there -- only for worse. It would be better to dispute the validity of using DKIM for non-repudiation of emails than to propagate the lie and ask server operators to publish their expired secret keys.
I don't think it needs to be all server operators;
It is not difficult for me to believe a Judge could find it "unlikely" that a 2013 email was forged containing a valid Google signature, and I would not want to rely on you being on my jury. If Google were to publish their private keys, I could produce a forgery of my own in my defence.
Of course it would be great if people were smarter than they are, but they're not, and I wrote some perl today, so it is hard to tilt at this particular windmill.
> It simply offers an assurance that, at around the time of sending, a given email was mostly likely sent from the server that signed it. It can't prove _anything_ about who actually sent it, because it can't guarantee the ownership of the email account.
Not on it's own, but it's a critical step in this chain:
1. DKIM verifies that a message was sent by Gmail.
2. We assume Gmail is careful with its keys.
3. We assume Gmail doesn't forge addresses.
4. Find evidence that links me to that address.
Most people will readily grant #2 and #3. Now we just need #4, which can be easy.
No, it's not cryptographically verified end-to-end, but it's good enough to convince a court or to convince a respectable news organization to run a story.
Spot on! I use to work for a company that helped Yahoo on the RFC (We were in the email spam space). DKIM is not meant to prove the payload is authentic/un-tampered, merely the person sending the email was authorized to use the domains SMTP server in question. Thats it. DKIM is a one bit in preventing spam.
Lets just say it. The emails that sparked all this are looking for something that simply isnt there. They see what they need to see to fit a world view
Interesting/educational read but I'm still not convinced that this unintended side effect is a bad thing - it seems like a desirable property to have authenticated emails. Matt argues this might lead to regular folks (as opposed to politicians) getting blackmailed, but:
1) it seems unlikely this cryptographic proof is needed (he acknowledges this criticism in the post), and
2) what seems more likely to me is that politicians would intentionally _not_ opt in to any alternate solution and use that deniability for their own advantage. (Also as an alternate he proposes GPG, which I know Matt knows is laughable).
I think this is a shameful argument. Non-repudiation over time is a truly powerful property of DKIM'd email for a great many uses outside of blackmail.
Calling for the ability to remove it during the years 2016-2020 in order to "protect politicians from blackmail" is not only of deeply questionable value but of suspect motivation. Who is the author interested in protecting?
As a security professional I 100% agree with the author.
The comments here on Hacker News seem to have tripped on the examples given (keywords: politicians, journalists) and turned this into the more generic and politically loaded discussion whether it's desirable to "cryptographically verify" what politicians write.
But that's not the point! The point is that DKIM is technically not designed for this use case and the way people misuse DKIM for this unintended purpose is highly problematic from a cryptographic and engineering perspective.
I think the best way to think of DKIM is that it's a "cryptographic protocol" in the sense that git is a "cryptographic protocol" because it uses SHA1. If you think "PGP" (not the best example :-)) or "Telegram" you have the wrong idea: DKIM is a bunch of cryptographic primitives haphazardly bolted on email to solve a specific problem. It's not good cryptographic design because good cryptographic design anticipates unintended usecases and deal with them appropriately.
1) Read the DKIM RFC.
First of all the only field that it's required to sign is the From: header (see RFC, section 5.4). So you could still forge an email but have it pass a DKIM signature check.
If people believe that DKIM "cryptographically signs" e-mails in the sense of PGP, then that's a problem, because that's not true. A DKIM signed email doesn't actually say anything: you have to look at the signature which part of the message are signed, which is not standardized.
So you could have this situation when people, like journalists or even people on Hacker News, think a forged email is valid because it has a valid DKIM signature (but the signature is over the From: header only). E-mail is complicated as it is without having to explain to people who have binary classified an email as "forgery" or "not forgery" based on a specific combination of email-headers and DKIM signature specification. Let's not do that.
2) Look at what mail providers actually do with their DKIM keys.
For legacy reasons due to DNS providers and length of TXT records, many large internet providers use DKIM keys that are 1024 bit RSA.
Already 10 years ago, most standard bodies started to recommend against the use of 1024 bit RSA. It's deprecated. Like MD5-deprecated.
The fact that many service providers use the same key for all emails for all customers and reuse that key for years, increasing the likelihood of the key being leaked, is another case against trusting DKIM for this purpose.
> First of all the only field that it's required to sign is the From: header
OK, I've never looked into DKIM before, but 6376 looks fairly recent, and it reports the message body must be hashed. Now sure, there may be issues with the hash to allow arbitrary collisions, and of course the key may have been leaked or broken, and in any case today's key is unlikely to be secure against nation states now, let alone in 10 years time.
I agree in general the idea that having "DKIM signed" mails means they are authentic is an issue -- in 20 years time it will be easy enough for anyone to forge a DKIM signature for any email they want that they claim was sent today, but from what I can see the message body is signed.
Technically, DKIM probably shouldn't take away deniability. But to be fair, this discussion doesn't exist in vacuum. Requesting that Google publish private keys is inherently politically loaded, given recent events. (and it's was neither goal or anti-goal in DKIM design, so it's not that there is mistake in protocol or something).
If some provider decides to implement this proposal, I don't think they should do it retroactively and publish old keys. It would be just inviting additional political shitstorm.
The piece seems to be arguing from a general principle. Repudiation is a feature of most secure messaging applications and it is a feature that should be introduced to GMail. This argument doesn't fully address how technologies are actually used today.
As far as I can tell, people who need repudiation are already using apps that have repudiation (eg Signal), because they know they are in a vulnerable position. The people who need repudiation already have it. So far we have seen DKIM authentication used against individuals in positions of power. With things as they are, cryptography is leveling the playing field by empowering the vulnerable while holding those in power responsible. If this situation or balance were to change perhaps it would make sense to rethink DKIM non-repudiation. I understand this is an opinionated/political take on cryptography that not everyone would share.
> Google could launch the process right now by releasing its ancient 2016-era private keys. Since the secrecy of these serves literally no security purpose at this point, except for allowing third parties to verify email leaks, there’s no case for keeping these values secret at all.
I've used Google's DKIM signatures to timestamp call recordings for years by putting a sha256 of the attached recording in the subject, so "literally no security purpose" isn't true!
(though I should probably go through and timestamp those signatures right now them using another method, just in case this guy's idea gains any traction)
DKIM's protection aren't as strong as people say they are (though fairly strong)
1) DKIM doesn't protect the To: header in any reasonable way (its not really designed to). i.e. it protects it in the sense that the original email had that as the To: header, but this is easy to forge as the To: header is not used by SMTP in delivery (think Bcc). i.e. its easy to write emails that are To: <some address> that are never attempted to be delivered to said address.
2) DKIM (even on gmail) doesn't quite protect the From: header as one would expect. Yes, gmail in general makes it difficult to spoof the email in the From header (it will replace it with your own if you try in the general case), but there's a huge but, if you gave gmail itself access to use that e-mail. i.e. I can be [email protected] but if [email protected] was convinced to allow me access to send emails as [email protected] (either via cooperation or a technical or sociological hack) then i can do that without having access to the account. and this permission is permanent. as far as I can tell, it irrevocable and to other gmail users there is no indication that other accounts have this permission for your email.
so what do we learn
1) can't 100% trust DKIM to believe who an email was sent to unless you actually retrieved it out of said user's email spool
2) can't 100% trust DKIM to believe who actually sent an email (even on gmail)
now, do I think DKIM gives anywhere close to 0% trust. No, I think its much closer to 100 than 0, but one has to understand the limitations and most people who discuss it, don't seem to understand them.
the threat is a hack playing a very long game. If one doesn't view that long game hack threat as serious, then its close enough to 100% (especially if gmail rotates their keys even without making the private part public), but if a long game hack threat is a serious thing, then it drops.
I don't see non repudation as that bad a thing. Are people any less likely to be blackmailed due to technical deniability of email contents? I feel that for most, that wouldn't matter.
"The problem with DKIM is that no customers asked for this feature as a default in their commercial mail account."
Two questions:
Have there ever been any Gmail design decisions, e.g., default settings, where users were consulted first?
I was recenty informed by another HN commenter that "99% of users" are "not qualified to have opinions" on something like MacOS behaviour,[FN1] or in this case Gmail behaviour. If this is true, should "99%" of users be given the choice not to use DKIM if they are "not qualified" to have an opinion on DKIM?
>it makes us all more vulnerable to extortion and blackmail
This is true with the added proviso that, by "us", he means "the guilty". The rest are protected, on the contrary, to this very particular form of these crimes.
I doubt Google will publish old private keys that were not designed to become public later. I would guess that it's too dangerous or cumbersome to do the security analysis.
What if someone realizes that Google uses a broken cryptographically secure pseudorandom number generator (CSPRNG) à la Debian ? Unlikely but the risks exists, so not going to happen in my opinion.
Wow. This blog post is appalling. I completely disagree with it.
Consider this excerpt from the blog post:
> But DKIM authenticity is great! Don’t we want to be able to authenticate politicians’ leaked emails?
> Modern DKIM deployments are problematic because they incentivize a specific kind of crime: theft of private emails for use in public blackmail and extortion campaigns. An accident of the past few years is that this feature has been used primarily by political actors working in a manner that many people find agreeable — either because it suits a partisan preference, or because the people who got “caught” sort of deserved it.
> But bad things happen to good people too. If you build a mechanism that incentivizes crime, sooner or later you will get crimed on.
The author seems to be arguing that if after a certain point it becomes impossible to verify whether an email was genuine or not, that would somehow be a good thing.
This reasoning seems harmful to me. It's incredible that the author treats this moral argument as self evident. Let me state my objections clearly.
1. The truthfulness and reliability of the historical record is important. The fact that politicians are protected from blackmail when they write incriminating emails is utterly insignificant by comparison. Is the principle being defended that protecting politicians from blackmail is stronger than a public interest in having a historical record?
2. Making historical emails impossible to authenticate after a certain period of time makes it more difficult to prosecute crimes. It helps criminals, the very thing the author claims to be trying to avoid. If a politician, or anyone for that matter, sends an incriminating email which is evidence of the intent to commit a crime, why on earth would you want to make it easier to cover your tracks?
Seriously, can someone present a moral argument for why this should be adopted? It seems only harmful to me.
The author underestimates how ready people are to believe slander. Publishing of DKIM keys will only allow people to produce more convincing faked emails. If a bunch of faked emails about a political leader signed with DKIM keys were released securities experts are going to say these keys are leaked and anyone could fake those emails but by the time they do the damage will have already happened and no one would be listening to them. The solution is not to release DKIM keys, but to make sure mails are not leaked. Throwing away signatures a few days after the email is delivered would not be a bad plan either, given they have actually served their purpose at that point.
Can't you just set up your mailserver so that it drops all the crypto headers (DKIM-Signature, ...) after verifying them and storing the result in Authentication-Results? Only your server's Authentication-Results header is really relevant to spam filtering, anyway.
Unless you're debugging something those headers seem irrelevant anyway, and they bloat the messages very much. (often times they are 3-4x the size of actual email)
This relies on the problematic approach to deniability of making forgeries possible.
To make this work you need to claim a forgery when you know that no such forgery occurred. So you explicitly or implicitly have to accuse someone of a serious crime/offence they did not commit. Most people have a greater sense of honour than that. Those that don't would still have to fear getting caught.
If someone actually does forge a message using the old private keys provided by Google then you would have to fight the assumption that you were using the system as it was designed. Everyone would just assume you said it and are now using the possibility of forgery to lie about having said it.
You can always claim a forgery anyway should you decide to do that. Perhaps someone got access to Google's relatively poorly guarded DKIM private key. How would you know? You are probably not making a specific claim anyway.
[+] [-] hpoe|5 years ago|reply
It seems to me that especially when an elected official has something they don't want others to know about that it should be public knowledge.
After all an efficient marketplace only is efficient if all actors have access to as much information as possible.
EDIT: As a follow up, several people point out that it could happen to me or a family member, but this seems even further reason to have DKIM so that if someone attempts to blackmail me based on the contents of my email, checking the DKIM signature makes it even easier to disprove a bad blackmail attempt.
[+] [-] dan-robertson|5 years ago|reply
The way to have transparency into politician’s communications is to require them by law to be made public, and to use law enforcement to make sure that this actually happens. It seems that relying on information going over email (as opposed to eg signal), and getting hacked (perhaps you want it all hacked, perhaps you are more happy while it is the side you don’t like getting hacked, either way I think one must acknowledge that by focusing on what is hacked, one is granting those hackers great control of the narrative) is not really very useful.
[+] [-] woodruffw|5 years ago|reply
I don't think Matthew Green is arguing against transparency. What he's observing is that non-repudiation is an unintentional byproduct of DKIM's design. Because it's a byproduct, DKIM's users have made implementation decisions that make it susceptible to weaknesses in the unintentional non-repudiation property.
By 2030, a motivated nation state will probably have the ability to crack the 2048-bit RSA keys that Google is currently using for DKIM. Do you really want someone in 2031 to be able to contrive fake signatures for the emails of politicians in 2021?
[+] [-] blendergeek|5 years ago|reply
He mentions the politicians because those were high profile cases. This could be used against anybody, not just politicians.
> It seems to me that especially when an elected official has something they don't want others to know about that it should be public knowledge.
Is this true of everybody else as well? Should anybody be able to deny an email they sent in the past? If so, we have to take this step.
[+] [-] jchook|5 years ago|reply
In fact, it does not authenticate any emails without a corresponding public key currently published to DNS. It provides specifically for "empty" or revoked keys to avoid such retro-validation.
Seems the central thesis is that because these messages are patently no longer authenticated by DKIM, we should eliminate any remaining hope of them being construed as authenticated by DKIM.
[+] [-] LinuxBender|5 years ago|reply
For example, I have servers that DKIM sign emails. If a person uses my servers to send a death threat, the FBI is going to want web access logs and smtp logs.
[+] [-] mthoms|5 years ago|reply
[+] [-] eru|5 years ago|reply
No matter what you think about politicians, it is a failure of cryptography, or perhaps our common application of it, that the signatures we use to assure our conversation partner of our identity can also be used for our conversation partner (or divers third parties) to prove what we said.
Compare https://en.wikipedia.org/wiki/Off-the-Record_Messaging which solved this problem quite a few years ago. Off-the-Record Messaging allows your conversation partner to know that they are talking to the real you, but does not empower them to prove that to anyone else.
[+] [-] bouncycastle|5 years ago|reply
The purpose of DKIM is to help prevent spam, not to verify the authenticity of the sender.
[+] [-] willyt|5 years ago|reply
Even google didn't bother to rotate their DKIM keys as recommended by the standard, so one wonders if the google keys are stored in a cage guarded by lasers and dogs or if there are copies on someones laptop somewhere and any sysadmin with a gambling problem or a secret affair could have leaked them to an unscrupulous journalist or a spy.
[+] [-] bambax|5 years ago|reply
> This is an amazing resource for journalists (...) But it doesn’t benefit you.
If it's an amazing resource for journalists it benefits me.
[+] [-] feanaro|5 years ago|reply
[+] [-] 013a|5 years ago|reply
I think his point is that the DKIM signatures could be used to verify that you did, in fact, send something worth being blackmailed over, rather than having the plausable deniability of saying that your DKIM private key from that period is already public and thus could be forged.
Which, to me, sounds similar to the classic XKCD "Theoretically, I use 2048bit RSA encryption and the hackers can't get my data. In Reality, they just beat me with a hammer until I give up the password." Maybe a public DKIM argument would hold up in court, but if we're just talking reputation blackmail among family and friends, it aint it chief.
[+] [-] mthoms|5 years ago|reply
[deleted]
[+] [-] buraktamturk|5 years ago|reply
That specific e-mail does not have DKIM signature (maybe because it was sent his own gmail address? or to an gmail address in general?).
I am aware that even if they publish the DKIM secrets, these e-mail will not lose any value since these e-mails was posted before the secrets.
But I think using e-mails as evidence should be a thing in general. As you could receive them to your personal e-mail server and want to authenticate and use it on a court, even years after. If they publish the keys, it would not be possible as you could be the one who forged the e-mail as it were received from somebody else and has been put to your IMAP server manually.
[+] [-] tptacek|5 years ago|reply
In messaging cryptography, non-repudiability has for almost 2 decades been considered a vulnerability, not a feature. The OTR protocol[1] takes the step of publishing its used MAC keys --- it releases private key material! --- to ensure that random people can forge messages once participants have authenticated them. Signal came up with a novel deniable AKE[1] that is one of the more famous parts of the protocol; by design, you can forge a Signal conversation from someone's private key even if you've never talked to them before.†
When you think about it in the abstract, it's easy to understand what's going on, even if you don't take the time to read the OTR paper. Once counterparties have authenticated each others messages, authentication has served its purpose. To allow a stranger to authenticate a messages is to concede information to them, and avoiding concessions is the point of messaging cryptography.
If you believe non-repudiable messages are necessary for public policy, it's hard for me to understand how you'd support the rest of secure messaging. Most secure messengers also have "disappearing messages", which have an even more powerful impact on the public's ability to read your (or some disfavored other's) messages. In fact, keeping the public from reading stuff is... kind of the obvious point?
Maybe it's just email, and the belief that email should not just be insecure, but be deliberately insecure? But, you all get how weird it is for me to read that after getting yelled at for writing a blog post about avoiding secure email, right? 547 comments[3]! Many of them very angry!
[1]: https://otr.cypherpunks.ca/otr-wpes.pdf
[2]: https://signal.org/blog/simplifying-otr-deniability/
[3]: https://news.ycombinator.com/item?id=22368888
† I'm always looking for this triple-DH blog post and never able to find it, because it doesn't contai the word "triple", and it never occurs to me to search for "deniable", only "repudiability" (which also doesn't occur in the blog post) so I guess I can thank this thread for fixing my bookmark.
[+] [-] syrrim|5 years ago|reply
[+] [-] timmytokyo|5 years ago|reply
[+] [-] patrec|5 years ago|reply
Whilst I agree with you that email messages should be repudiable , I have a feeling you're trying to pass something off as axiomatic that isn't. For example isn't a confidential business agreement basically exactly, by design, an authenticated non-repudiable message that can be authenticated by third parties (such as courts)?
[+] [-] moyix|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] FrozenVoid|5 years ago|reply
[+] [-] PhineasRex|5 years ago|reply
Obviously the conflation of a bunch of different use-cases into this one protocol is a problem, but I don't know that just making email more secure is a solution.
[+] [-] fpig|5 years ago|reply
Non-repudiation is of course a needed property for many systems, but it is not a property a system, especially an everyday messaging system like email, should have by accident - even "weak" non-repudiation such as DKIM. It is a violation of privacy. The suggestion the author makes of course doesn't completely get rid of it, but at least makes it time-limited.
[+] [-] sethgecko|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] peterwwillis|5 years ago|reply
On one hand we have the Utilitarianist view of security. If increased security results in "more good" than evil, it is inherently ethical and thus acceptable. In this view, the idea that a good person may be blackmailed is perfectly acceptable, as long as it exposes political malfeasance.
On the other hand there's the Kantian view. If you have to lie, it it hurts someone, or it wouldn't work if it applied to everyone, then it's unethical. This doesn't seem to work at all, because we have to allow lying (non-repudiation). But non-repudiation could prevent someone from being hurt. And applying it to everyone would allow for the least harm, rather than the most good.
In the end Utilitarianism usually reigns because it's easier. But it does ignore the edge cases, which we should consider. Perhaps the way forward is not to pick one or the other, but actually re-make the world to embrace the good and avoid the bad. Sadly, that's probably the most difficult choice of all; when's the last time we replaced a working standard just because it had crappy outcomes?
[+] [-] creeble|5 years ago|reply
>DKIM provides a life-long guarantee of email authenticity that anyone can use to cryptographically verify the authenticity of stolen emails, even years after they were sent.
No, it doesn't. It simply offers an assurance that, at around the time of sending, a given email was mostly likely sent from the server that signed it. It can't prove _anything_ about who actually sent it, because it can't guarantee the ownership of the email account.
>For better or for worse, the DKIM authenticity stamp has been widely used by the press, primarily in the context of political email hacks. It’s real, it’s important, and it’s meaningful.
There's no _better_ there -- only for worse. It would be better to dispute the validity of using DKIM for non-repudiation of emails than to propagate the lie and ask server operators to publish their expired secret keys.
[+] [-] X6S1x6Okd1st|5 years ago|reply
When a potentially important email dump is leaked individuals will use any reasonable means to gain information about it's authenticity.
Knowing that DKIM headers are on those emails and that the service provider hasn't published those keys changes the question from:
"Did you send this email" to "Was your email address compromised at this time?"
[+] [-] geocar|5 years ago|reply
It is not difficult for me to believe a Judge could find it "unlikely" that a 2013 email was forged containing a valid Google signature, and I would not want to rely on you being on my jury. If Google were to publish their private keys, I could produce a forgery of my own in my defence.
Of course it would be great if people were smarter than they are, but they're not, and I wrote some perl today, so it is hard to tilt at this particular windmill.
[+] [-] cakoose|5 years ago|reply
Not on it's own, but it's a critical step in this chain:
1. DKIM verifies that a message was sent by Gmail.
2. We assume Gmail is careful with its keys.
3. We assume Gmail doesn't forge addresses.
4. Find evidence that links me to that address.
Most people will readily grant #2 and #3. Now we just need #4, which can be easy.
No, it's not cryptographically verified end-to-end, but it's good enough to convince a court or to convince a respectable news organization to run a story.
[+] [-] LimaBearz|5 years ago|reply
Lets just say it. The emails that sparked all this are looking for something that simply isnt there. They see what they need to see to fit a world view
[+] [-] arkadiyt|5 years ago|reply
1) it seems unlikely this cryptographic proof is needed (he acknowledges this criticism in the post), and
2) what seems more likely to me is that politicians would intentionally _not_ opt in to any alternate solution and use that deniability for their own advantage. (Also as an alternate he proposes GPG, which I know Matt knows is laughable).
[+] [-] xbar|5 years ago|reply
Calling for the ability to remove it during the years 2016-2020 in order to "protect politicians from blackmail" is not only of deeply questionable value but of suspect motivation. Who is the author interested in protecting?
[+] [-] bjornedstrom|5 years ago|reply
The comments here on Hacker News seem to have tripped on the examples given (keywords: politicians, journalists) and turned this into the more generic and politically loaded discussion whether it's desirable to "cryptographically verify" what politicians write.
But that's not the point! The point is that DKIM is technically not designed for this use case and the way people misuse DKIM for this unintended purpose is highly problematic from a cryptographic and engineering perspective.
I think the best way to think of DKIM is that it's a "cryptographic protocol" in the sense that git is a "cryptographic protocol" because it uses SHA1. If you think "PGP" (not the best example :-)) or "Telegram" you have the wrong idea: DKIM is a bunch of cryptographic primitives haphazardly bolted on email to solve a specific problem. It's not good cryptographic design because good cryptographic design anticipates unintended usecases and deal with them appropriately.
1) Read the DKIM RFC.
First of all the only field that it's required to sign is the From: header (see RFC, section 5.4). So you could still forge an email but have it pass a DKIM signature check.
If people believe that DKIM "cryptographically signs" e-mails in the sense of PGP, then that's a problem, because that's not true. A DKIM signed email doesn't actually say anything: you have to look at the signature which part of the message are signed, which is not standardized.
So you could have this situation when people, like journalists or even people on Hacker News, think a forged email is valid because it has a valid DKIM signature (but the signature is over the From: header only). E-mail is complicated as it is without having to explain to people who have binary classified an email as "forgery" or "not forgery" based on a specific combination of email-headers and DKIM signature specification. Let's not do that.
2) Look at what mail providers actually do with their DKIM keys.
For legacy reasons due to DNS providers and length of TXT records, many large internet providers use DKIM keys that are 1024 bit RSA.
Already 10 years ago, most standard bodies started to recommend against the use of 1024 bit RSA. It's deprecated. Like MD5-deprecated.
The fact that many service providers use the same key for all emails for all customers and reuse that key for years, increasing the likelihood of the key being leaked, is another case against trusting DKIM for this purpose.
[+] [-] iso1631|5 years ago|reply
> First of all the only field that it's required to sign is the From: header
OK, I've never looked into DKIM before, but 6376 looks fairly recent, and it reports the message body must be hashed. Now sure, there may be issues with the hash to allow arbitrary collisions, and of course the key may have been leaked or broken, and in any case today's key is unlikely to be secure against nation states now, let alone in 10 years time.
I agree in general the idea that having "DKIM signed" mails means they are authentic is an issue -- in 20 years time it will be easy enough for anyone to forge a DKIM signature for any email they want that they claim was sent today, but from what I can see the message body is signed.
[+] [-] garaetjjte|5 years ago|reply
If some provider decides to implement this proposal, I don't think they should do it retroactively and publish old keys. It would be just inviting additional political shitstorm.
[+] [-] Paul-ish|5 years ago|reply
As far as I can tell, people who need repudiation are already using apps that have repudiation (eg Signal), because they know they are in a vulnerable position. The people who need repudiation already have it. So far we have seen DKIM authentication used against individuals in positions of power. With things as they are, cryptography is leveling the playing field by empowering the vulnerable while holding those in power responsible. If this situation or balance were to change perhaps it would make sense to rethink DKIM non-repudiation. I understand this is an opinionated/political take on cryptography that not everyone would share.
[+] [-] blibble|5 years ago|reply
I've used Google's DKIM signatures to timestamp call recordings for years by putting a sha256 of the attached recording in the subject, so "literally no security purpose" isn't true!
(though I should probably go through and timestamp those signatures right now them using another method, just in case this guy's idea gains any traction)
[+] [-] compsciphd|5 years ago|reply
1) DKIM doesn't protect the To: header in any reasonable way (its not really designed to). i.e. it protects it in the sense that the original email had that as the To: header, but this is easy to forge as the To: header is not used by SMTP in delivery (think Bcc). i.e. its easy to write emails that are To: <some address> that are never attempted to be delivered to said address.
2) DKIM (even on gmail) doesn't quite protect the From: header as one would expect. Yes, gmail in general makes it difficult to spoof the email in the From header (it will replace it with your own if you try in the general case), but there's a huge but, if you gave gmail itself access to use that e-mail. i.e. I can be [email protected] but if [email protected] was convinced to allow me access to send emails as [email protected] (either via cooperation or a technical or sociological hack) then i can do that without having access to the account. and this permission is permanent. as far as I can tell, it irrevocable and to other gmail users there is no indication that other accounts have this permission for your email.
so what do we learn
1) can't 100% trust DKIM to believe who an email was sent to unless you actually retrieved it out of said user's email spool 2) can't 100% trust DKIM to believe who actually sent an email (even on gmail)
now, do I think DKIM gives anywhere close to 0% trust. No, I think its much closer to 100 than 0, but one has to understand the limitations and most people who discuss it, don't seem to understand them.
the threat is a hack playing a very long game. If one doesn't view that long game hack threat as serious, then its close enough to 100% (especially if gmail rotates their keys even without making the private part public), but if a long game hack threat is a serious thing, then it drops.
[+] [-] bawolff|5 years ago|reply
[+] [-] 1vuio0pswjnm7|5 years ago|reply
Two questions:
Have there ever been any Gmail design decisions, e.g., default settings, where users were consulted first?
I was recenty informed by another HN commenter that "99% of users" are "not qualified to have opinions" on something like MacOS behaviour,[FN1] or in this case Gmail behaviour. If this is true, should "99%" of users be given the choice not to use DKIM if they are "not qualified" to have an opinion on DKIM?
1. https://news.ycombinator.com/item?id=25100342
[+] [-] FrozenVoid|5 years ago|reply
[+] [-] prvc|5 years ago|reply
This is true with the added proviso that, by "us", he means "the guilty". The rest are protected, on the contrary, to this very particular form of these crimes.
[+] [-] speedgoose|5 years ago|reply
What if someone realizes that Google uses a broken cryptographically secure pseudorandom number generator (CSPRNG) à la Debian ? Unlikely but the risks exists, so not going to happen in my opinion.
[+] [-] landryraccoon|5 years ago|reply
Consider this excerpt from the blog post:
> But DKIM authenticity is great! Don’t we want to be able to authenticate politicians’ leaked emails?
> Modern DKIM deployments are problematic because they incentivize a specific kind of crime: theft of private emails for use in public blackmail and extortion campaigns. An accident of the past few years is that this feature has been used primarily by political actors working in a manner that many people find agreeable — either because it suits a partisan preference, or because the people who got “caught” sort of deserved it.
> But bad things happen to good people too. If you build a mechanism that incentivizes crime, sooner or later you will get crimed on.
The author seems to be arguing that if after a certain point it becomes impossible to verify whether an email was genuine or not, that would somehow be a good thing.
This reasoning seems harmful to me. It's incredible that the author treats this moral argument as self evident. Let me state my objections clearly.
1. The truthfulness and reliability of the historical record is important. The fact that politicians are protected from blackmail when they write incriminating emails is utterly insignificant by comparison. Is the principle being defended that protecting politicians from blackmail is stronger than a public interest in having a historical record?
2. Making historical emails impossible to authenticate after a certain period of time makes it more difficult to prosecute crimes. It helps criminals, the very thing the author claims to be trying to avoid. If a politician, or anyone for that matter, sends an incriminating email which is evidence of the intent to commit a crime, why on earth would you want to make it easier to cover your tracks?
Seriously, can someone present a moral argument for why this should be adopted? It seems only harmful to me.
[+] [-] throwawayffffas|5 years ago|reply
[+] [-] nisuni|5 years ago|reply
[+] [-] megous|5 years ago|reply
Unless you're debugging something those headers seem irrelevant anyway, and they bloat the messages very much. (often times they are 3-4x the size of actual email)
[+] [-] upofadown|5 years ago|reply
To make this work you need to claim a forgery when you know that no such forgery occurred. So you explicitly or implicitly have to accuse someone of a serious crime/offence they did not commit. Most people have a greater sense of honour than that. Those that don't would still have to fear getting caught.
If someone actually does forge a message using the old private keys provided by Google then you would have to fight the assumption that you were using the system as it was designed. Everyone would just assume you said it and are now using the possibility of forgery to lie about having said it.
You can always claim a forgery anyway should you decide to do that. Perhaps someone got access to Google's relatively poorly guarded DKIM private key. How would you know? You are probably not making a specific claim anyway.