RFC 8616: Support utf-8 signatures

[alevesely]

This bug is twofold. Both aspects of it originate from rfc8616, which allows d=, i=, and s= tags of a DKIM-Signature header field to be utf-8.

On the one hand, the verification fails with:

   7/29/2019, 18:56:38  DKIM_Verifier.Verifier  WARN    DKIM Signature Error (DKIM_SIGERROR_ILLFORMED_TAGSPEC): Signature is ill-formed (resource://dkim_verifier/helper.jsm:407:3) JS Stack trace: parseDKIMSignature@dkimVerifier.jsm:464:10

I think it's the regex in parseTagValueList which doesn't match utf-8 chars. If it can be made to match them, then you may need to use IDNA to convert the domain to an xn--... string before looking up the key.

On the other hand, utf-8 domain names allow to play homograph attacks by using domains like, say, аmazon.com, where the first letter is a Cyrillic small а. Whether verified or not signed at all, a message from an IDN can be fully legitimate or a homographic attack. A coloring scheme or an icon that easily allows to recognize non-ASCII domain names can save the day. Otherwise, someone of us should open a Thunderbird bug as suggested here (see also my comment there). Mozilla have an heuristic algorithm, implemented for Firefox, to try and determine if an IDN is malicious —if we file a Thunderbird bug, we should mention it.

[lieser]

Thanks for letting me now about RFC 8616, didn't yet know about it. Would probably take some time to adapt the add-on to it. Especially because like you mentioned some kind of protection against homograph attacks should probably be added.

Are you aware of this new RFC already being actively used? Or did you just tried it out with a special test mail? Unless already widely used, I don't see myself investigating time into this any time soon.

Note that the add-on currently does not even handle all allowed local parts (as defined in RFC 6376) of the AUID (i= tag).

[alevesely]

I registered an IDN domain several years ago. A few months ago the server I use enabled EAI (the last in this list) so I'm experimenting with it. Gmail doesn't allow to crate EAI accounts, yet, but verifies signatures correctly. Right now, Thunderbird allows to send to IDN domains, but not to EAI local parts, nor to create accounts with IDN domains. So, no. AFAICS EAI is not yet widely used. However, I'd bet it will widely catch on before the Antarctic melts, especially in eastern countries.

The changes needed are probably a few lines, where the software unwarrantedly checks ASCII. If you do DMARC, alignment should provide for IDNA comparisons. Ditto for SPF. DKIM works fine with utf-8. Overall, it shouldn't need a big investment of time, but neither needs to be done in August...

Thank you for a nice add-on.

[lieser]

As part of #219 I also started to have a first look into this. If anyone has any real world example e-mails, please send them to me via e-mail. Thanks.

[lieser]

Some links maybe helpful when implementing this:

• https://github.com/mathiasbynens/punycode.js
• https://github.com/jcranmer/idna-uts46
  • https://github.com/hexonet/idna-uts46
• https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/normalize
• https://mathiasbynens.be/notes/es6-unicode-regex