Google, Microsoft and Yahoo have also fixed a vulnerability in its e-mail systems. The error stuck, according to the US-CERT in the DKIM (DomainKeys Identified Mail) mentioned mechanism for signing e-mails. This made it possible to pretend that a message was sent to their e-mail systems.
The problem is that the three operators have used for DKIM keys with a length of less than 1024 bits. Even with 1024-bit RSA keys are now considered by some to be unsafe because it is relatively easy using the cloud computing over the available computing power, it by brute force method to crack.
First, the mathematician Zachary Harris had reported the vulnerability. He had received an email that supposedly come from a recruiter at Google. The header of the message, which shows who is the sender did not seem to be tampered with. Harris noted, however, used the weak DKIM keys.
As Wired reported, Harris cracked the key. Then he turned to e-mail to the Google founders Larry Page and Sergey Brin, as he left the e-mail suggested a refined setting test. He received no answer. Instead, he noted that Google introduced in the following years with a key length of 2048 bits.
According to Harris, other companies are affected. Ebay and Twitter translated accordingly with a key length of 512 bits. In financial services like PayPal and HSBC there are 768 bits.
In its security advisory advises US-CERT to replace all RSA keys with a length of less than 1024 bits to allow the shorter key either in test environments or production systems. Microsoft distributed since the beginning of the month a patch via Windows Update, which increases the need for Windows Certificates RSA key length of at least 1024 bits, to enhance the security of certificates.