I reported an insecure DKIM key to Deutsche Telekom / T-Systems. They first asked me to further explain things (not sure why 'Here's your DKIM private key' needs more explanation, but whatever...). Then they told me it's out of scope for their bugbounty.

I guess then there's really no reason not to tell you: They have a 384 bit RSA DKIM key configured at: dkim._domainkey.t-systems.nl

384 bit RSA is... how shall I put it? I think 512 bit is the lowest RSA key size that was ever really used. 384 bit RSA is crackable in a few hours on a modern PC (using cado-nfs). The private key is:
-----BEGIN RSA PRIVATE KEY-----
MIHxAgEAAjEAtTliQYV2Xvx1OGkDyOL799BTFEuobY2dn2AgtiKCQgrh78NVK1JK
j0yRXgNnPpGBAgMBAAECMF0t+TBZUCi8xATSMij7VLTxv5Xi5OIXesNiXOKtYIRP
LkpYfR5PggaMScfbmqSssQIZAMwOhm9d7Y7Qi7I2j1AlYbiqdtqO54T7FQIZAONa
9dJFkC6lM3EPXR+0SZ4dqwwpiM0nvQIYYgz8thi5JK264ohq9sTvnu9yKvUN9I09
AhgfgMYZKcxtujRjkSZtMzUUNLYzzDmJe90CGDKwqcBI0v9ChaR8WHht+/chMdxj
7ez94w==
-----END RSA PRIVATE KEY-----

@badkeys My educated guess is they couldn't fit larger keys into their DNS records...

@badkeys bruh

@buherator @badkeys

I installed a MariaDB cluster backed set of PowerDNS servers for that exact reason! There were a couple of other reasons but that was what finally made me roll up my sleeves.

@badkeys
Looks like they've fixed it now (?)

The TXT record is now
"v=DKIM1; k=rsa; g=*; s=email; p=MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxALU5YkGFdl78dThpA8ji+/fQUxRLqG2NnZ9gILYigkIK4e/DVStSSo9MkV4DZz6RgQIDAQAB"

I really hope they generated a new key, and didn't just switch from publishing the private key to the corresponding public one...

@dragonfrog @badkeys Most people might not be fluent in base64-encoded ASN.1, but a trained eye can see that it's the same key.

Hint: A sufficiently strong RSA key cannot possibly be that short, and you know it's a DER-encoded pubkey because it starts with "ME" and ends with "AQAB" (0x10001, common RSA public exponent)

@buherator @badkeys No, they thought they were generating an ECDSA key, for which a 256 or 384 bit would be strong. But, they didn't provide the right arguments, and wound up with RSA. I think the OP posted the private key that they were able to crack trivially.

@millie @badkeys
Oh gosh, so they've removed the private key, but it's still the public key that goes with a private key that they already published.

A sound as if a thousand faces rested in a thousand palms, and a thousand IT people sighed heavily...

@dragonfrog @badkeys No, the private key was never published by t-systems, but it's so weak that it's very easy to crack. OP cracked and published the private key.

@mcr314 @badkeys Source? I doubt someone who makes a mistake like this knows what ECDSA is.

@badkeys You thought 384-bit was bad? I recently found a live, in daily use, 256-bit key in a, shall we say, large government entity that should know better (would rather not say much more publicly as its relevant to a paper under submission).

@badkeys This is the mastodon method of converting a private key into a public key. Scnr.

@badkeys

You had me at

-----BEGIN RSA PRIVATE KEY-----

;-)

@badkeys oooofffff

But why would they turn down the bug bounty????

@tanja Because they’re cheap assholes? Just a wild guess.

@badkeys bad companies that don’t pay out bug bounties can have uncoordinated public disclosure as a treat :3

@badkeys Telekom. Die machen das.

@keksdosenmann @badkeys

Die schaffen uns. 😮‍💨

@badkeys

What wat. they published the private key?!

@buherator @badkeys @mcr314 probably done by an apprentice anyway

@badkeys Way to go Telekom! Last time I found a 320 bit RSA key it was “protecting” people’s private information (https://palant.info/2023/01/25/ipinside-koreas-mandatory-spyware/#how-is-this-data-protected) and I even had a little difficulty finding a cryptography library that wouldn’t refuse working with a key so short.

@q @badkeys BSI at it again?

@16af93 @badkeys for once, its not the Germans

@badkeys RSA ?
You can literally get an API key for your python script to access a literal quantum computer. And someone already made shors alg. implementation exclusively for RSA cracking

If it were over 4096 bits its still Not Secure and crackable within seconds.
Literally Any modern post quantum algorirthm is orders of magnitude better...

@yama @badkeys Out of curiosity, what year are you posting from?

@badkeys
Do they accept mails from noncommercial mailservers at their nl branch or do they refuse them with "554 None/Bad Reputation" as the german branch does, unless the mail admin publishes full personal (!) contact infos on a webserver hosted on the smtp machine? Just asking, because THOSE guys behave like they wrote the SMTP RFCs all by themselves...

@momo Hab mich damit auch schon herum geärgert und mit einem "Musterbrief" frei gekauft: https://beko.famkos.net/2023/06/02/%c2%b7t%c2%b7%c2%b7%c2%b7error/

Die haben doch echt nicht mehr alle Latten am Zaun o0

@bekopharm
Ich konnte sie auf ein Kontaktformular runterhandeln, musste aber versichern, dass der Transport dann nicht per eMail erfolgt. Ich habe ne ntfy-Instanz auf einem meiner Server laufen, das Webformular generiert jetzt eine Notification auf mein Smartphone.

Eigentlich wollte ich den Zugriff per Firewall auf die Admin-Netzwerke der Telekom zumachen, aber das war für sie absolut inakzeptabel.

Aber bei jeder Gelegenheit seine eigenen Kunden in Geiselhaft nehmen und rumprotzen, dass sie der größte Provider Deutschlands sind und damit eigene Regeln festlegen können, an die sich jeder zu halten hat.

@momo @bekopharm das dreisteste ist es hängt scheinbar stark davon ab welchen Support Mitarbeiter man erreicht. Hab Jahre lang damit gelebt einfach keine E-Mails an t-online senden zu können. Wurde irgendwann dann aber doch zu nervig und ich habe sie nochmal kontaktiert. Dann haben sie ohne große Nachfrage einfach meine IP freigeschaltet 🤷

@buherator @badkeys
it is a wild theory but it is possible XD. nsd config accepts strings up to 256 chars in length and if you want a larger key you just have to split it into multiple strings that get naturally concatenated.

@badkeys "I asked for bugbounty, they said no, so here's a key and how to crack it.. please hurt this company".
really?!

@timnewsham @badkeys no one said "please hurt this company", that is your interpretation

@momo @badkeys sadly this is being normalized today.

• #Microsoft literally demands people to self-d0x or they just silently drop all eMails, even replies to their customers.
  • And OFC neither @BNetzA nor @EUCommission did anything about this.

@kkarhan @momo @badkeys @BNetzA @EUCommission Had the same issue just recently. I wonder how this can even be legal. 🤔

I wanted to ask a lawyer about this, but never came around doing so.

@Bebef @momo @badkeys Neither did I.

And the next-best qualified lawyer I'd know in that part is @wbs_legal.

• Sadly there's no legal precedent to establish the same "duty to deliver" as with #PostalOperators which ain't allowed to do anything unless explicitly instructed by the reciever or served a warrant by a judge.
  • And obviously regulators like @BNetzA & @EUCommission likely ain't even aware of this issue since #ConsumerProtection doesn't apply to #SmallBusinesses!

@kkarhan @Bebef @momo @badkeys @wbs_legal @BNetzA @EUCommission But AFAIK there is legal precedent with #WHOIS data where due to #GDPR the address data is no longer "just public", at least technically I see the analogy here…

@badkeys 😂

@badkeys "This is a public service announcement..."

@dsp @badkeys That's a limitation of DNS, and management UI's can make configuring larger strings quite frustrating. My favorite is when parts of the base64 gibberish are mixed up in the DNS response so you can see that there is something that *looks like* your public key, yet it won't verify your messages.