Sign up to save your podcasts
Or
Share Breaking DKIM and BIMI with the 2008 Debian OpenSSL Bug
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Breaking DKIM and BIMI with the 2008 Debian OpenSSL Bug
by Hanno Böck
At: miniDebConf Berlin 2024
https://berlin2024.mini.debconf.org/talks/17-breaking-dkim-and-bimi-with-the-2008-debian-openssl-bug/
https://wiki.debian.org/DebianEvents/de/2024/MiniDebconfBerlin
In 2008, a severe security vulnerability was discovered in Debian's OpenSSL package. Due to a bug, cryptographic keys generated with the affected OpenSSL packages used very limited entropy, effectively limiting the number of possible keys to a few ten thousands. This was 16 years ago, but it turns out that affected keys are still used in the wild.
The speaker has developed the tool badkeys, a free software tool to scan cryptographic public keys for known vulnerabilities. By scanning DKIM public keys, several keys affected by the 2008 Debian OpenSSL bug were discovered. This allowed creating valid DKIM signatures for several high-profile domains. In some cases, signed mails show up with a company Logo in popular email clients due to a mechanism called BIMI.
See also: https://badkeys.info/
https://16years.secvuln.info/
Room: c-base
Scheduled start: 2024-05-18 17:30:00
View all episodes
By by Hanno Böck
At: miniDebConf Berlin 2024
https://berlin2024.mini.debconf.org/talks/17-breaking-dkim-and-bimi-with-the-2008-debian-openssl-bug/
https://wiki.debian.org/DebianEvents/de/2024/MiniDebconfBerlin
In 2008, a severe security vulnerability was discovered in Debian's OpenSSL package. Due to a bug, cryptographic keys generated with the affected OpenSSL packages used very limited entropy, effectively limiting the number of possible keys to a few ten thousands. This was 16 years ago, but it turns out that affected keys are still used in the wild.
The speaker has developed the tool badkeys, a free software tool to scan cryptographic public keys for known vulnerabilities. By scanning DKIM public keys, several keys affected by the 2008 Debian OpenSSL bug were discovered. This allowed creating valid DKIM signatures for several high-profile domains. In some cases, signed mails show up with a company Logo in popular email clients due to a mechanism called BIMI.
See also: https://badkeys.info/
https://16years.secvuln.info/
Room: c-base
Scheduled start: 2024-05-18 17:30:00