RFC 8616: Support utf-8 signatures #163
Comments
|
Thanks for letting me now about RFC 8616, didn't yet know about it. Would probably take some time to adapt the add-on to it. Especially because like you mentioned some kind of protection against homograph attacks should probably be added. Are you aware of this new RFC already being actively used? Or did you just tried it out with a special test mail? Note that the add-on currently does not even handle all allowed local parts (as defined in RFC 6376) of the AUID ( |
|
I registered an IDN domain several years ago. A few months ago the server I use enabled EAI (the last in this list) so I'm experimenting with it. Gmail doesn't allow to crate EAI accounts, yet, but verifies signatures correctly. Right now, Thunderbird allows to send to IDN domains, but not to EAI local parts, nor to create accounts with IDN domains. So, no. AFAICS EAI is not yet widely used. However, I'd bet it will widely catch on before the Antarctic melts, especially in eastern countries. The changes needed are probably a few lines, where the software unwarrantedly checks ASCII. If you do DMARC, alignment should provide for IDNA comparisons. Ditto for SPF. DKIM works fine with utf-8. Overall, it shouldn't need a big investment of time, but neither needs to be done in August... Thank you for a nice add-on. |
|
As part of #219 I also started to have a first look into this. If anyone has any real world example e-mails, please send them to me via e-mail. |
|
Some links maybe helpful when implementing this: |
This bug is twofold. Both aspects of it originate from rfc8616, which allows d=, i=, and s= tags of a DKIM-Signature header field to be utf-8.
On the one hand, the verification fails with:
I think it's the regex in
parseTagValueListwhich doesn't match utf-8 chars. If it can be made to match them, then you may need to use IDNA to convert the domain to anxn--...string before looking up the key.On the other hand, utf-8 domain names allow to play homograph attacks by using domains like, say,
аmazon.com, where the first letter is a Cyrillic small а. Whether verified or not signed at all, a message from an IDN can be fully legitimate or a homographic attack. A coloring scheme or an icon that easily allows to recognize non-ASCII domain names can save the day. Otherwise, someone of us should open a Thunderbird bug as suggested here (see also my comment there). Mozilla have an heuristic algorithm, implemented for Firefox, to try and determine if an IDN is malicious —if we file a Thunderbird bug, we should mention it.The text was updated successfully, but these errors were encountered: