Companies Google, Microsoft, Yahoo!, PayPal and eBay recently eliminated a gap in a cryptographic system to e-mail services, which allowed hackers to forge a digital signature and send them messages purportedly from the employees of these companies.
The vulnerability exists in the system DomainKeys Identified Mail (DKIM), which is used by e-mail providers to make special reports cryptographic signature. This signature confirms the domain name of the sender, which simplifies the process of filtering malicious messages.
DKIM implementation issue was that if the amount of the signature key is less than 1024 bits, if sufficient computing power can be forged. US-CERT has confirmed in the notice that the keys are shorter than 1.024 bits do not provide a sufficient level of security, and that all the keys up to RSA-768 can be forged.
The first about the issue, said the American mathematician Florida Zachary Harris, who has received from the HR Google message that uses a 512-bit key. According to Wired, he decided to show his find by sending Sergey Brin message purportedly from Larry Page, and Larry Page, in turn, received a message purportedly from Sergey Brin.
Harris subsequently found that the problem was not limited to Google – Internet companies Microsoft PayPal, Yahoo!, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, US Bank, HP, Match.com and HSBC may also be victims of fraud.