Verifying a DKIM TXT Record and Key Length

After reading the Wired story last week about Zachary Harris discovering a widespread vulnerability related to the use of weak cryptographic DKIM keys (less than 1024 bits) by companies like Google, eBay, Yahoo, Twitter and PayPal, and the subsequent CERT warning (VU#268267), I decided to write a quick tool to check DKIM TXT records and determine their key length:

This tool grabs your DKIM DNS TXT record and uses OpenSSL to parse the contained public key to determine its key length.

Github SSH Public Key Fingerprint Checking

A security vulnerability was discovered at GitHub this week that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. Although there was no known malicious activity using this exploit, they are taking the responsible step to email all their users that have SSH keys associated with their account to verify and approve them before they can be used to clone/pull/push repositories over SSH.

The GitHub audit page looks like this:

GitHub ssh key audit screenshot

Here’s a quick reminder of how to get the fingerprint of your SSH public key using the ssh-keygen command. Use the name of your local public key file that you want to check.

ssh-keygen -lf id_protodave_github.pub

The resulting fingerprint will look like:

2048 b5:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:2f  protodave@github (RSA)

If this fingerprint of the local trusted copy of your SSH public key matches the one GitHub shows you, then you are safe to click “Approve”.

Javascript Word Wrapping

I recently needed to do some manual word wrapping (and possibly hyphenation) of strings in JavaScript and found some interesting code projects:

Checking your DKIM DNS record

Update — Due to the recently released vulnerability related to the use of weak cryptographic DKIM keys, I wrote an online tool to check and verify DKIM TXT records, and determine their public key length: DKIM Key Checker

What is DKIM?

DomainKeys Identified Mail (DKIM) is a method for email authentication designed to detect sender address forgery (spoofing) in email, which is often used in spam and phishing emails.

How does DKIM work?

The DKIM system allows email receivers to confirm that a message claiming to come from a particular domain was authorized by the domain’s owner. This means that an email sender can prove that they’re not a spammer.

The email receiver’s system can verify this claim using the an attached digital signature header by looking up the sender’s public key published via a DNS record.

Verifying a valid signature cryptographically also assures the data integrity of the message itself by checking the sender generated hash in the DKIM-Signature: header field.

DKIM For The Masses

Google announced today they have added the ability for Google Apps customers to sign outbound email using the DKIM standard.

You can set it up for your own Google Apps domain (if you are the domain admin) using these instructions.

It’s a simple process but the trickiest part can be creating the DNS TXT record (which contains your DKIM public key), depending on how you manage your DNS. If you are serving DNS directly via your registrar, Google has some specific instructions for popular domain hosts.

Checking your work

Here’s a quick tip how you can check to make sure you created the record properly and it is being served…

Continue reading Checking your DKIM DNS record