<![CDATA[I reported an insecure DKIM key to Deutsche Telekom / T-Systems.]]>I reported an insecure DKIM key to Deutsche Telekom / T-Systems. They first asked me to further explain things (not sure why 'Here's your DKIM private key' needs more explanation, but whatever...). Then they told me it's out of scope for their bugbounty.

I guess then there's really no reason not to tell you: They have a 384 bit RSA DKIM key configured at: dkim._domainkey.t-systems.nl

384 bit RSA is... how shall I put it? I think 512 bit is the lowest RSA key size that was ever really used. 384 bit RSA is crackable in a few hours on a modern PC (using cado-nfs). The private key is:
-----BEGIN RSA PRIVATE KEY-----
MIHxAgEAAjEAtTliQYV2Xvx1OGkDyOL799BTFEuobY2dn2AgtiKCQgrh78NVK1JK
j0yRXgNnPpGBAgMBAAECMF0t+TBZUCi8xATSMij7VLTxv5Xi5OIXesNiXOKtYIRP
LkpYfR5PggaMScfbmqSssQIZAMwOhm9d7Y7Qi7I2j1AlYbiqdtqO54T7FQIZAONa
9dJFkC6lM3EPXR+0SZ4dqwwpiM0nvQIYYgz8thi5JK264ohq9sTvnu9yKvUN9I09
AhgfgMYZKcxtujRjkSZtMzUUNLYzzDmJe90CGDKwqcBI0v9ChaR8WHht+/chMdxj
7ez94w==
-----END RSA PRIVATE KEY-----

]]>https://forum.fedi.dk/topic/564bbb5b-889b-419a-9d93-f846c14fec8b/i-reported-an-insecure-dkim-key-to-deutsche-telekom-t-systems.RSS for NodeMon, 27 Apr 2026 13:54:23 GMTWed, 15 Apr 2026 07:34:51 GMT60<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Thu, 16 Apr 2026 07:27:25 GMT]]>@momo Hab mich damit auch schon herum geärgert und mit einem "Musterbrief" frei gekauft: https://beko.famkos.net/2023/06/02/%c2%b7t%c2%b7%c2%b7%c2%b7error/

Die haben doch echt nicht mehr alle Latten am Zaun o0

]]>https://forum.fedi.dk/post/https://indieweb.social/users/bekopharm/statuses/116413198864958767https://forum.fedi.dk/post/https://indieweb.social/users/bekopharm/statuses/116413198864958767Thu, 16 Apr 2026 07:27:25 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 23:04:33 GMT]]>@keksdosenmann @badkeys

Die schaffen uns. 😮💨

]]>https://forum.fedi.dk/post/https://23.social/users/christianrickert/statuses/116411221540254669https://forum.fedi.dk/post/https://23.social/users/christianrickert/statuses/116411221540254669Wed, 15 Apr 2026 23:04:33 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 22:30:17 GMT]]>things. And are shocked that email can be provided by something else then Google, outlook or Apple. On which of these is our email hosted I was asked. I had to explain very slowly that we are on the small option "other".
@kkarhan @momo @badkeys @BNetzA @EUCommission @Bebef

]]>https://forum.fedi.dk/post/https://mastodon.social/users/yacc143/statuses/116411086772153234https://forum.fedi.dk/post/https://mastodon.social/users/yacc143/statuses/116411086772153234Wed, 15 Apr 2026 22:30:17 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 22:30:16 GMT]]>@Bebef
The really odd thing is it's not the oldies that nowadays are a problem, it's the youngsters, we literally had a complaint today about the PIM/office suite we use, our CEO nicely played that one. He's open to all proposals for alternatives from a company headquartered in the EEA for legal reasons.

Interestingly the C level has no problem IMAP, and accessing the calendar over CalDAV. But the youngsters have never heard of these @kkarhan @momo @badkeys @BNetzA @EUCommission

]]>https://forum.fedi.dk/post/https://mastodon.social/users/yacc143/statuses/116411086704805720https://forum.fedi.dk/post/https://mastodon.social/users/yacc143/statuses/116411086704805720Wed, 15 Apr 2026 22:30:16 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 22:28:42 GMT]]>@badkeys@infosec.exchange ..OMFG ..​

]]>https://forum.fedi.dk/post/https://mk.absturztau.be/notes/al46s2kws91z0027https://forum.fedi.dk/post/https://mk.absturztau.be/notes/al46s2kws91z0027Wed, 15 Apr 2026 22:28:42 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 22:17:31 GMT]]>@Bebef
It's probably not, some countries have really tough laws that they apply to email delivery and privacy that makes even spam filtering a legally dicey proposition

But let me put it like this, who wants to sue a company that has a legal budget bigger than the whole government budget of some of the poorer EU MS?

And in the end as long as the users won't start moving their fat posteriors away from the big tech monopolies, ...
@kkarhan @momo @badkeys @BNetzA @EUCommission

]]>https://forum.fedi.dk/post/https://mastodon.social/users/yacc143/statuses/116411036560307936https://forum.fedi.dk/post/https://mastodon.social/users/yacc143/statuses/116411036560307936Wed, 15 Apr 2026 22:17:31 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 20:56:28 GMT]]>@badkeys Telekom. Die machen das.

]]>https://forum.fedi.dk/post/https://mastodon.social/users/keksdosenmann/statuses/116410717850657902https://forum.fedi.dk/post/https://mastodon.social/users/keksdosenmann/statuses/116410717850657902Wed, 15 Apr 2026 20:56:28 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 20:31:02 GMT]]>@q @16af93 @badkeys iirc 256-bit rsa is satcomms 'standards'

]]>https://forum.fedi.dk/post/https://www.librepunk.club/users/sys64738/statuses/116410617868295662https://forum.fedi.dk/post/https://www.librepunk.club/users/sys64738/statuses/116410617868295662Wed, 15 Apr 2026 20:31:02 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 20:17:32 GMT]]>@badkeys
That was crackable with private entity resources decades ago.

That's not even funny.

]]>https://forum.fedi.dk/post/https://mastodon.social/users/yacc143/statuses/116410564778733371https://forum.fedi.dk/post/https://mastodon.social/users/yacc143/statuses/116410564778733371Wed, 15 Apr 2026 20:17:32 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 20:15:24 GMT]]>@16af93 @badkeys for once, its not the Germans

]]>https://forum.fedi.dk/post/https://glauca.space/users/q/statuses/116410556353269138https://forum.fedi.dk/post/https://glauca.space/users/q/statuses/116410556353269138Wed, 15 Apr 2026 20:15:24 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 20:00:52 GMT]]>@kkarhan @momo @badkeys @BNetzA @EUCommission Had the same issue just recently. I wonder how this can even be legal. 🤔

I wanted to ask a lawyer about this, but never came around doing so.

]]>https://forum.fedi.dk/post/https://mastodon.social/users/Bebef/statuses/116410499242582380https://forum.fedi.dk/post/https://mastodon.social/users/Bebef/statuses/116410499242582380Wed, 15 Apr 2026 20:00:52 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 19:58:14 GMT]]>@badkeys@infosec.exchange

send an email coming from them.

]]>https://forum.fedi.dk/post/https://app.wafrn.net/fediverse/post/6e4be629-dd7e-4221-8ab5-79fa53503073https://forum.fedi.dk/post/https://app.wafrn.net/fediverse/post/6e4be629-dd7e-4221-8ab5-79fa53503073Wed, 15 Apr 2026 19:58:14 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 19:20:41 GMT]]>@millie @badkeys thank you, I get it now. Iguess I'm having a slow day!

]]>https://forum.fedi.dk/post/https://mastodon.sdf.org/users/dragonfrog/statuses/116410341219776870https://forum.fedi.dk/post/https://mastodon.sdf.org/users/dragonfrog/statuses/116410341219776870Wed, 15 Apr 2026 19:20:41 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 19:17:36 GMT]]>@mcr314 @badkeys Source? I doubt someone who makes a mistake like this knows what ECDSA is.]]>https://forum.fedi.dk/post/https://infosec.place/objects/c41c11ad-f601-412a-8472-f24609810b57https://forum.fedi.dk/post/https://infosec.place/objects/c41c11ad-f601-412a-8472-f24609810b57Wed, 15 Apr 2026 19:17:36 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 19:12:39 GMT]]>@dragonfrog @badkeys No, the private key was never published by t-systems, but it's so weak that it's very easy to crack. OP cracked and published the private key.

]]>https://forum.fedi.dk/post/https://infosec.exchange/users/millie/statuses/116410309670796122https://forum.fedi.dk/post/https://infosec.exchange/users/millie/statuses/116410309670796122Wed, 15 Apr 2026 19:12:39 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 19:10:43 GMT]]>@millie @badkeys
Oh gosh, so they've removed the private key, but it's still the public key that goes with a private key that they already published.

A sound as if a thousand faces rested in a thousand palms, and a thousand IT people sighed heavily...

]]>https://forum.fedi.dk/post/https://mastodon.sdf.org/users/dragonfrog/statuses/116410302054379571https://forum.fedi.dk/post/https://mastodon.sdf.org/users/dragonfrog/statuses/116410302054379571Wed, 15 Apr 2026 19:10:43 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 18:50:46 GMT]]>@buherator @badkeys No, they thought they were generating an ECDSA key, for which a 256 or 384 bit would be strong. But, they didn't provide the right arguments, and wound up with RSA. I think the OP posted the private key that they were able to crack trivially.

]]>https://forum.fedi.dk/post/https://todon.nl/users/mcr314/statuses/116410223621733588https://forum.fedi.dk/post/https://todon.nl/users/mcr314/statuses/116410223621733588Wed, 15 Apr 2026 18:50:46 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 18:45:08 GMT]]>@dragonfrog @badkeys Most people might not be fluent in base64-encoded ASN.1, but a trained eye can see that it's the same key.

Hint: A sufficiently strong RSA key cannot possibly be that short, and you know it's a DER-encoded pubkey because it starts with "ME" and ends with "AQAB" (0x10001, common RSA public exponent)

]]>https://forum.fedi.dk/post/https://infosec.exchange/users/millie/statuses/116410201410937005https://forum.fedi.dk/post/https://infosec.exchange/users/millie/statuses/116410201410937005Wed, 15 Apr 2026 18:45:08 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 18:29:59 GMT]]>@buherator @badkeys

I installed a MariaDB cluster backed set of PowerDNS servers for that exact reason! There were a couple of other reasons but that was what finally made me roll up my sleeves.

]]>https://forum.fedi.dk/post/https://mastodonapp.uk/users/gerdesj/statuses/116410141872272493https://forum.fedi.dk/post/https://mastodonapp.uk/users/gerdesj/statuses/116410141872272493Wed, 15 Apr 2026 18:29:59 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 18:02:53 GMT]]>@badkeys bruh

]]>https://forum.fedi.dk/post/https://ioc.exchange/users/wall_e/statuses/116410035292999169https://forum.fedi.dk/post/https://ioc.exchange/users/wall_e/statuses/116410035292999169Wed, 15 Apr 2026 18:02:53 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 16:46:36 GMT]]>@badkeys My educated guess is they couldn't fit larger keys into their DNS records...]]>https://forum.fedi.dk/post/https://infosec.place/objects/ced8b468-c85d-4b8d-9fae-d275d56f8ff5https://forum.fedi.dk/post/https://infosec.place/objects/ced8b468-c85d-4b8d-9fae-d275d56f8ff5Wed, 15 Apr 2026 16:46:36 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 16:41:46 GMT]]>@momo @badkeys sadly this is being normalized today.

  • literally demands people to self-d0x or they just silently drop all eMails, even replies to their customers.
]]>https://forum.fedi.dk/post/https://jorts.horse/users/kkarhan/statuses/116409716311917598https://forum.fedi.dk/post/https://jorts.horse/users/kkarhan/statuses/116409716311917598Wed, 15 Apr 2026 16:41:46 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 16:35:35 GMT]]>@badkeys
Looks like they've fixed it now (?)

The TXT record is now
"v=DKIM1; k=rsa; g=*; s=email; p=MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxALU5YkGFdl78dThpA8ji+/fQUxRLqG2NnZ9gILYigkIK4e/DVStSSo9MkV4DZz6RgQIDAQAB"

I really hope they generated a new key, and didn't just switch from publishing the private key to the corresponding public one...

]]>https://forum.fedi.dk/post/https://mastodon.sdf.org/users/dragonfrog/statuses/116409692026086423https://forum.fedi.dk/post/https://mastodon.sdf.org/users/dragonfrog/statuses/116409692026086423Wed, 15 Apr 2026 16:35:35 GMT<![CDATA[Reply to I reported an insecure DKIM key to Deutsche Telekom / T-Systems. on Wed, 15 Apr 2026 15:37:27 GMT]]>@badkeys
Do they accept mails from noncommercial mailservers at their nl branch or do they refuse them with "554 None/Bad Reputation" as the german branch does, unless the mail admin publishes full personal (!) contact infos on a webserver hosted on the smtp machine? Just asking, because THOSE guys behave like they wrote the SMTP RFCs all by themselves...

]]>https://forum.fedi.dk/post/https://social.linux.pizza/users/momo/statuses/116409463450565355https://forum.fedi.dk/post/https://social.linux.pizza/users/momo/statuses/116409463450565355Wed, 15 Apr 2026 15:37:27 GMT