What RRVS Doesn't Fix

RRVS (the Require-Recipient-Valid-Since Header Field) as documented in RFC 7293 seems like a neat idea. It was designed by Yahoo and Facebook folks with the best of intentions.

But as an identify theft prevention measure, I am worried that it really falls short. Here's the example that I just can't get past: Let's assume Yahoo has implemented RRVS for yahoo.com users. Great. But what about for addresses at the typo domain variant of yahoo.com I just registered a few weeks ago?

There was a great presentation on malicious domain registration/re-registration at an industry conference I was at recently. It highlighted how bad guys can watch for and purchase recently expired domains and are then practically given the "keys to the kingdom" when it comes to whatever that domain might have hosted or managed previously, whether it be email users or command and control for a botnet army.

At the end of the presentation, I had the opportunity to thank the guy and ask him and the crowd, think about what people can do with emailed password reset credentials in this scenario. I pointed out that I recently registered a specific typo domain (and there are millions more where that came from, both domains and actors) and when I started accepting mail for this typo domain, I immediately started receiving peoples' personal info, links to reset passwords, information on where people tried to set up accounts using email addresses at this domain, etc. Pretty scary stuff, and lots of opportunity for me to do bad things, if I was a bad guy. Very easy for me to identify and login to accounts of almost any type. I don't even have to go hunting; suggestions just keep landing in my inbox.

Thankfully, I'm not a bad guy. I'm not trying to login to any sites with any of these credentials or links. But what about the bad guys? They're not similarly restrained.

How do we stop the bad guys from exploiting this? How do we help senders of all stripes stop sending mail to domains after the domain has been repurposed? Maybe we start tracking age of domain, maybe tracking a centralized hash of ownership info, before sending a password reset notification, maybe something like this might help. If the domain is newer than the account with an email address at that domain, raise a red flag because something must be funny.

This is what RRVS tries to do, but it does it on a per-user level only, and only at a handful of recipient domains that have chosen to implement it. Thus, this secures maybe one or two doors in a way where it would be putting the lock on the wrong side for the others. All the others, the vast majority of domain names and mail providers.  "But we already have RRVS" was basically the response I heard when I brought this up. Well, yeah, but RRVS isn't stopping this at all.
Post a Comment