[Bimi] Verified Mark Certificates with SVGs not compliant with the Tiny PS profile
Hanno Böck <hanno@hboeck.de> Sun, 26 May 2024 09:28 UTC
Return-Path: <hanno@hboeck.de>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 084FCC14F695 for <bimi@ietfa.amsl.com>; Sun, 26 May 2024 02:28:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hboeck.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nRYv3pc2vSLP for <bimi@ietfa.amsl.com>; Sun, 26 May 2024 02:28:16 -0700 (PDT)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [IPv6:2a01:4f8:121:1ffe:1::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76CC1C14F5FF for <bimi@ietf.org>; Sun, 26 May 2024 02:28:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hboeck.de; s=key1; t=1716715691; bh=ihxbGhaiopH+omy+aAFHJ1BHf3mxlwYv8imV0J7wVzU=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding; b=Jq1WVwIdqS1CuNv0ICt+CoxEusp6alDS7XmrEO+rFfQjVNxssA3xqxCgiRsy5Oz/e ACiUJEPLrq2TUWB6gYCVsWsedQcz3M6JwXiCgmdiMG+2E6stVk/AN04GbAfpap7bXE QZunAtPLykraRi+EmE7RKu/M/n1Jc7rSzeSCJDmHOtLH00C80P2G5aXllgJyKXuCoA blTiPu6WU+PkckdSK5eMUzrEkwwLzCphp68UGp6DL9fszWqXrFBaN6YNdAuiQckD2I P0hsX5ae4jYL7oFi4HYi9uTZU5zK2ipNNPlbp2/32T/wqE1TzlzTCTbsAVVCh3KwbK BI3ow5mwCiB0g==
Original-Subject: Verified Mark Certificates with SVGs not compliant with the Tiny PS profile
Author: Hanno Böck <hanno@hboeck.de>
Date: Sun, 26 May 2024 11:28:10 +0200
From: Hanno Böck <hanno@hboeck.de>
To: bimi@ietf.org
Message-ID: <20240526112810.5774423f@computer>
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.42; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: JJQUPIKLC6TL4F7QRVPC7LZ2T2EGEQMC
X-Message-ID-Hash: JJQUPIKLC6TL4F7QRVPC7LZ2T2EGEQMC
X-MailFrom: hanno@hboeck.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Bimi] Verified Mark Certificates with SVGs not compliant with the Tiny PS profile
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/xzYRH72V2HE9xeUfXK_zUgYSI7k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Owner: <mailto:bimi-owner@ietf.org>
List-Post: <mailto:bimi@ietf.org>
List-Subscribe: <mailto:bimi-join@ietf.org>
List-Unsubscribe: <mailto:bimi-leave@ietf.org>
Hi,
I discovered that SVG logos embedded in many Verified Mark Certificates
were not compliant with the VMC Requirements.
A security feature of BIMI and VMCs is that the SVG logos should be
validated with the SVG Tiny PS (Portable/Secure) [1] profile, a subset
of SVG provided as a Relax NG schema. This seems like a reasonable
idea, as SVG images come with a range of possible security risks (XML
security risks, XSS).
However, it does not appear that this is taken very seriously within
the BIMI ecosystem. I discovered over 200 VMCs, issued over a time span
of more than four years, with logos not compliant with the SVG Tiny PS
profile. Furthermore, it does not appear that the largest e-mail
provider implementing BIMI - Gmail - validates SVG images according to
the specification.
Between 2019 and today, Entrust has issued 223 certificates with
non-compliant SVGs, more than half of them not yet expired. Digicert
has issued two certificates with non-compliant SVGs and two more with
an invalid data url.
These non-compliant SVGs were likely mistakes and not part of an
attack. There are recommendations by BIMIGroup and Gmail to manually
edit SVG files created by Adobe Illustrator to comply with this
profile. Unsurprisingly, this is not very reliable.
You can find a quick and dirty script to validate SVGs in VMCs here
[3]. You can also find a full list of affected certificates via their
crt.sh IDs there in the subdirectory testdata.
I reported the issue to Entrust's problem-reporting mail addresses on
2024-05-17. I received an irritating autoreply indicating that this
mail address was only meant for existing Entrust customers. ("We are
unable to associate your email address with an active account or order
number and are unable to determine your support contract.") However,
Entrust later confirmed that this is their correct problem reporting
address, and the issue was addressed.
I had "accidentally" not reported all unexpired certs with invalid SVGs
that I had found and added a few certs with valid SVG files. (I may
have done that to test whether Entrust would notice it.)
To their credit, Entrust did not revoke the certificates with valid
SVGs and they revoked all the certificates with invalid SVGs, including
those I had not reported. Entrust revoked all affected certificates as
of 2024-05-23. This is slightly longer than the 5 days that the VMC
requirements demand[2].
The affected Digicert certificates were all expired. Therefore, I have
not reported them.
I also noticed that certificates with those not validating SVGs would
still be displayed within Gmail. I reported this to Gmail, but they
appear to have decided that it is not an issue deserving their
attention. ("We've decided that the issue you reported is not severe
enough for us to track it as a security bug.")
I was surprised by this reaction. I would expect security-conscious
implementors of BIMI to validate SVGs against the security profile.
While I assume Gmail has additional security measures like sandboxing
their SVG renderer, there is an important indirect effect that such a
validation would have: it is very likely that this issue would have
been detected much sooner if the invalid logos had not been displayed
in Gmail.
Ultimately, the most noteworthy part of this issue is that it stayed
undetected for so long. Over a timeframe of more than four years,
Entrust has issued over 200 certificates with SVG files not validating
against the security profile. Entrust did not notice it, and neither
did anyone else. It does not appear anyone is monitoring the VMC/BIMI
ecosystem for compliance with the specs and security requirements.
[1] https://bimigroup.org/resources/SVG_PS-latest.rnc.txt
[2] https://bimigroup.org/resources/VMC_Requirements_latest.pdf
[3] https://github.com/hannob/vmcval
--
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
- [Bimi] Verified Mark Certificates with SVGs not c… Hanno Böck
- [Bimi] Re: Verified Mark Certificates with SVGs n… Brotman, Alex
- [Bimi] Re: Verified Mark Certificates with SVGs n… Hanno Böck