Thinking he was cracking a puzzle from Google recruiters, a Florida mathematician recently identified an encryption oversight affecting a number of major email domains, according to a story in Wired.
The mathematician, Zachary Harris, noticed a problem with the DKIM key, a cryptographic key used to validate that emails are coming from the stated stated domain. For security compliance, the DKIM standard requires keys of at least 1,024 bits in length. Google – as well as many other major sites such as Yahoo, Amazon, eBay, Apple, PayPal and more – did not meet this standard.
Harris was able to crack Google’s 512-bit key using some cloud computing resources and successfully spoof an email between Google founders Sergey Brin and Larry Page. Although many of the companies Harris contacted about the problem have since improved their encryption, not all have addressed the issue.
Others may have forgotten to remove the shorter key after implementing the new one, Harris added, leaving the vulnerability open. The threat helps highlight the importance of constant review to minimize errors or software security issues.
“People who use cryptographic tools need to realize that local configurations need to be maintained just like software updates need to be maintained,” Harris told Wired.
Security news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.