@glauca Hey, any chance you’re going to support configuring webauthn as the sole 2FA option for accounts?

@tomlowenthal And this is why I’ve been putting off moving somewhere else for years now

@tomlowenthal Google Workspace is the only other option that I’m aware of…

Annnd tagging @fastmail here got an immediate response to the ticket confirming that as of this week they "now require an aligned DKIM pass for BIMI".

@acdha @fastmail Yes, exactly, I think this will be what finally pushes me to move off.

So @fastmail didn’t respond at all to my report sent to security@ about the BIMI spoofing issue. The auto reply from their ticket system claimed that it may take “10 business days to respond” which elapsed this morning (and is way too long for an initial response to a security issue).

Great coverage of the BIMI spoofing issue from AJ: https://cyberscoop.com/security-professionals-tweet-bimi-google-gmail/

@bascule @filippo Codespaces is wired up to sign commits, there’s no reason they couldn’t use the same infra for pushes…

@aliu I did in the next post in my thread! Great paper!

@kurtseifried BIMI doesn't show up if you're using the native Mail app on iOS with Gmail because they aren't adding the message headers that it is looking for. The logos do show up in the Gmail app.

My only complaint is about the extremely misleading verified checkmark/tooltip (and equivalent UI in Apple Mail). I agree that the logos have no meaningful impact given that Gmail shows profile images.

@kurtseifried It only shows up in Mail if you are using iCloud for mail or another mail server that adds some BIMI verification headers (currently Fastmail).

@kurtseifried This what it looks like in Apple Mail (note that iCloud does check DKIM but Fastmail doesn’t, which is how I spoofed this)

@kurtseifried Of course the phishing risk already exists.

There is now a tooltip with an explanation on the checkmark.

I'm absolutely not saying that BIMI will ever fix anything at all related to phishing, just that the current verified checkmark/tooltip makes BIMI _more dangerous_ than not having it given how lax the email validation is.

@kurtseifried That makes sense in the abstract, but Gmail and Apple have decided to add misleading security-critical indicators to the BIMI UI treatment. So by enabling it you expose users to a pretty scary additional phishing risk due to the ease of spoofing.

@daniel_ess @filippo For starters, the part where it doesn't require DKIM _at all_

@gvlx Definitely no bounty.

Full email: https://gist.github.com/titanous/b949c744cfd0be35b9980377bae780a8

I replicated the Microsoft 365 spoofing issue after Chris Plummer spotted it being exploited in the wild against ups.com: https://twitter.com/chrisplummer/status/1664075886545575941

Chris eventually posted the headers and after a bit of fiddling in Exchange Online, and many cursed Powershell cmdlet errors from the web UI, I figured out how it worked.

I reported it to MSRC, but I think they failed to triage properly because they closed the report as wontfix yesterday. Today I noticed that they fixed it by rewriting the envelope sender, presumably because either Google or UPS contacted them about it.

UPS also removed outlook.com from their SPF at some point yesterday.

@glyph Google is looking into it: https://twitter.com/chrisplummer/status/1664348988143722500

I emailed Fastmail but haven't heard back.

@glyph For some reason they overindexed on DMARC and technically messages that have aligned SPF and any DKIM state (including none or a different domain!?) are considered valid by DMARC. Buried in a separate draft there is suggestion that _maybe_ just relying on DMARC isn't enough: https://datatracker.ietf.org/doc/html/draft-brotman-ietf-bimi-guidance#name-validation-of-a-bimi-messag

@filippo @titanous BIMI is basically just "browsers took away our cash cow EV, so we needed a new cash cow". Do you expect they thought this through technically? The thing I don't understand is why google supports this.