The previous 512 bits encryption used by Googleâ€™s mail servers was deemed hack-able in less than 72 hours, enabling Harris to forge a legit digital signature and impersonate Sergey Brin, Googleâ€™s founder.
Harris estimated that Google Play was unsafe as well, as customers could have received spoofed emails from attackers exploiting the same vulnerability. Although Google fixed the flaw by setting in place 2048-bit keys, Google Apps customers have to manually generate domain keys and activate DKIM authentication.
Google provides step-by-step instructions that enable users to receive 1024-bit domain keys so email spoofing wonâ€™t be possible. With all Google domains now sporting 2048-bit keys, enforcing the same security policy for Google Apps might be trickier because more processing power would be required.
Harris believes that companies should be less bent on using strong keys and more focused on keeping up with the latest cryptographic standards. Emphasizing companies should heed to industry professionalsâ€™ warnings and research updates, Harris said configuration settings and security fixes should be checked for, on a regular basis.
â€œThe most important thing is that that you donâ€™t just set this up once and forget about it,â€ Harris said.
Google Apps users are encouraged to follow Googleâ€™s tutorials on how to plug the DKIM vulnerability, to avoid possible email spoofing.