Popular Websites Have Weak DKIM Key Lengths

Google used weak Domainkey Identified Mail or DKIM, says one expert.

In an article in Wired.com, Zachary Harris, a mathematician, explains how he was approached by Google for a job--at least it appeared that Google approached him. Everything about the email appeared correct, even the header info, except for the the DKIM, which Harris said was unusually weak.

To test his theory, he sent Google co-founders Larry Page and Sergey Brin emails as though Larry was sharing something cool with Sergey--Harris' personal website. Harris reports that the next day, the DKIM key was increased from 512 to 2048 bits. HE also said his personal site was visited by a large number of Google addresses as well.

But then Harris noticed the same problem existed elsewhere. DKIM keys used by PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, Match.com and HSBC were also vulnerable to the same condition.

Harris told Wired.com: "A 384-bit key I can factor on my laptop in 24 hours. The 512-bit keys I can factor in about 72 hours using Amazon Web Services for $75. And I did do a number of those. Then there are the 768-bit keys. Those are not factorable by a normal person like me with my resources alone. But the government of Iran probably could, or a large group with sufficient computing resources could pull it off."