Cracking a 512-bit DKIM key for less than $8 in th...

[croemer]

Those 1,700 are easy to find though, just need to dig a bunch of domain names and you'll find plenty vulnerable ones that you can spoof.

Yahoo Mail has a market share on the order of 3%. So a black hat could then target a decent chunk of users with @yahoo addresses specifically.

Has anyone heard of this being exploited in the wild? Would be interesting to find out whether there are some reputable domains among the 1.7k vulnerable ones.

[elif]

Your claim that yahoo uses a 512bit key are counterfactual.

Please adhere to honesty and good faith arguments.

[croemer]

I never suggested that Yahoo uses 512bit keys, that's a misunderstanding.

The article clearly states that Yahoo is one of the 3 clients that didn't reject 512bit keys the way they should per RFC.

Yahoo Mail inbox users are vulnerable _receivers_ of spoofed emails.

[1oooqooq]

remember when yahoo mail was the first one to implement DKIM validation and then all mailing list owners added a footer telling their subscribers not to use yahoo mail because it was broken, instead of calling their mailing list providers to upload a key? yeah nobody remembers, but yahoo probably do. i doubt they will err on the side of security again.

[jaza]

The Yahoo that built Yahoo Mail no longer exists, so actually they probably don't remember.