IETF Logo Mail Archive

[Bimi] BIMI image security open questions

Seth Blank <seth@valimail.com> Wed, 13 March 2019 18:32 UTC

Return-Path: <seth@valimail.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1551127962 for <bimi@ietfa.amsl.com>; Wed, 13 Mar 2019 11:32:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id liMA0dT84ZFY for <bimi@ietfa.amsl.com>; Wed, 13 Mar 2019 11:32:08 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39FDD1275F3 for <bimi@ietf.org>; Wed, 13 Mar 2019 11:32:08 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id e126so1434273vse.1 for <bimi@ietf.org>; Wed, 13 Mar 2019 11:32:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:from:date:message-id:subject:to; bh=i28L6tBk2UQZG/2eGEhGEduRbOp2vcf8BipRSP20C08=; b=EYzRSQU2Nqh7otI2TasDHGGtFPp8AbJXDADPa8pk9yfQya88IitHIXjLXwR8CssJ4D luSn4Y2BkH4X1jJwfVh7DE1xFMTMHJGVyFPI0E1TmHJrcZwQIo/8D04fKGsXqUhlzcf7 Ctal8JIp0RNsuj10I5OYnF5Bjm8yRZG5BgwmUx0PLvQnyhLLuLb8xfBD+lFFdGt9NXk+ KFVFPbQfW9X32xcKZDcbfcy9LXKDkG5XHHRDvHnHzmRuWFOJFfXrcsPVzmMXDWYMdVLQ TLfyo+CAhot9npMMLJBctNo/S4NrXSg0m3udz8N3lOg2oF8/6Gu4Y3mPCjLJc8a2Ux7z PrVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=i28L6tBk2UQZG/2eGEhGEduRbOp2vcf8BipRSP20C08=; b=a/M7HhXRB5CXfvBRAiFetEtn3zX51O+Ya1p0vY4Pssr4JWD8BCJ0uimjO1h7RTFyA5 b0I+eLPBkf0xW0JHV0bBlBUI4DBhKp1QI/KYMAgOhOVz+9S3uIX5YEf+PeQN3Q876dAu l/lNX/nLflYcPLEKKk0ql8+fPVkT0YU+9cH//FE/0Ykrdn7kZ3JeLXaLkfOQgtmA4Bvl QlMlg10kWhyewLmXYthwg2meqzGJlJso9ZFPd4kc2++/6H+4GA+UQZAgUOwdr0PZZbhW /nr7QZBeE9CMoC2y2K80KbbgjgMF6jluBYBQn+4VTF+OSEzwD2thlMc414neGhVjmZAD xL7w==
X-Gm-Message-State: APjAAAU8bHd6LFeMDH0NGpplFYpIBqLjeMxwfRbW4QLVyz5GjVXqkYp8 +/n7isTnFOb7mC1iMfo2QBmIFl++H0jKR3EyVZcO45KG2823sQ==
X-Google-Smtp-Source: APXvYqzX3bD8CUBm4MBt2U9vMCNQK2lvk/kQOmx1XYWdtN/H1HHXwU6oP4aBICxt+ABwGrRqELTyzf53SXYwfHr1FK4=
X-Received: by 2002:a67:c287:: with SMTP id k7mr24693155vsj.225.1552501926541; Wed, 13 Mar 2019 11:32:06 -0700 (PDT)
MIME-Version: 1.0
From: Seth Blank <seth@valimail.com>
Date: Wed, 13 Mar 2019 11:31:54 -0700
Message-ID: <CAOZAAfNXZ-trm07nugNK4-eprsf27VrNf16tTYBCCmoOhStTjg@mail.gmail.com>
To: bimi@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d870650583fe0533"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/zi90QyPY9nnvOllCmSQUM1RBLuQ>
Subject: [Bimi] BIMI image security open questions
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 18:32:11 -0000

These three drafts cover a myriad of security concerns:
- General threats: https://tools.ietf.org/html/draft-bkl-bimi-overview-00
- Problems with certificates/CAs:
https://tools.ietf.org/html/draft-chuang-ietf-bimi-security-perspectives-00
- Other more specific technical issues:
https://tools.ietf.org/html/draft-blank-ietf-bimi-00#section-9

Outside of these three documents and specific guidance in
https://tools.ietf.org/html/draft-blank-ietf-bimi-00#section-5.1.2 (which
itself refers to https://tools.ietf.org/html/rfc6170#section-5.2), I
believe the only top line threat that's not well documented are related to
the image payload itself. Details below from M3AAWG technical.

None of the above authors are experts on these vectors. We'd love to
discuss in more depth or be connected to people or resources who can help
educate us (preferably on this list).

Thanks, we're looking forward to your feedback and participation in the BoF!


The M3AAWG technical list has provided the following threats that are not
encapsulated in the above drafts:

1) Richard Clayton provided:

An issue where the image which is certified may not be the actual image
that is rendered unless care is taken to specify the nature of the
rendering:

https://pdfs.semanticscholar.org/e8c5/6fe612c0edd436361b1f07551c832c0f1fb8.pdf

2) Joe St. Sauver provided:

Steganography in SVG: https://github.com/japplebaum/svgsteg

Script tags in SVG: https://www.redteamsecure.com/evil-svg-project/

The script tag is mediated by the requirements of
https://tools.ietf.org/html/rfc6170#section-5.2, but is still worth calling
out explicitly.

-- 

Seth Blank | Director, Industry Initiatives

e: seth@valimail.com |* p: *415-273-8818

<https://www.valimail.com/>


<https://twitter.com/valimail> <https://twitter.com/valimail>
<https://www.linkedin.com/company/valimail/>
<https://www.linkedin.com/company/valimail/>
<https://www.facebook.com/ValiMail-649042791951699>
<https://www.facebook.com/Valimail-649042791951699/>

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it.  If you are not an intended and authorized
recipient you are hereby notified any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful.  Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email