Re: [Captive-portals] Secdir last call review of draft-ietf-capport-rfc7710bis-04
Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Wed, 20 May 2020 11:37 UTC
Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D51EB3A08D5; Wed, 20 May 2020 04:37:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azKNhlmXAVOL; Wed, 20 May 2020 04:37:27 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 177063A08D4; Wed, 20 May 2020 04:37:26 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id g14so4526677wme.1; Wed, 20 May 2020 04:37:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uHBEg7gix26F6RCMQIpVhhiUWoQP1doHv9jK6id/dKA=; b=WPxdatTNqk4Ok2kloa1jD4DTN1UN7DIrvdqqnZXCzFPn2Dg/pSqZAVd8lol1Jh3uTb xZ3or3VW8FziSeznrxjN4D3bUTLr+1X+kNe16RJVsC1oiE0Rov4HF6sTMYA406AhVs9R Fa6bzmv8TP2QrcNBBZPLxUaEyvDxE+qGbu5AEClDiKdLR5KjRK+XJprb5aBWNX1bN1ss 8Stfj+Ke46Sm1Hiz73P6oleSpiloKHMicf/+n4komSvYCrINQVn1eNNeAiyMM19gR0yW 6ax6t1mWyxCg8QTejEwlBQLEKR65n+spaGxCe0FLWuybeW6z4yYCetZCyPC8xkLF2+ui khVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uHBEg7gix26F6RCMQIpVhhiUWoQP1doHv9jK6id/dKA=; b=HiTfIDlJZPQ89yLTN5+h1lDkin0vOkGeWrpuv1q6VlFF51pLBbiYKmygcEAPBWVVwQ xZhEpDgjA1Wzpp9xJEFUTucIVMbKjzKFsX7fLzN33YiPSp4k0+D73CCxzwATVJwGvUVI YnjqTLcKOCwK3Rql4W9xtp6HUcO95GiLnWEoJprBKW8/LQL4XS1QLU8GHyFUNnX3ynQd OLlULVVQdIpu+NTuky+2J32QTn/BK+goemDBxW27TlkThafzqdvh+cDeziJLS3a6aEU1 L8cdNr3FW/RuGiXfRn8JzmKu5Sp0NoK1UDgD4mioJL0Ip75JNqJ+4I1Qqa9VJd783cI/ hFTA==
X-Gm-Message-State: AOAM532v1xGAw2H/19ldUNiVVfj9h7j73pS6kf6aDWnu1GRjDA57FGTL JLRi77jRYimbWz0dnnHFs5VvfJZdLmD0FhBs+Vk=
X-Google-Smtp-Source: ABdhPJyTS4uTmmx6oU4l5XZoh5g17wUa+6Cu3gBgj/O+rAhkkUfaE8S3fhyojCc8xltzvXbzpOlUZzlsFCn9gm5vKW8=
X-Received: by 2002:a1c:3b87:: with SMTP id i129mr4539753wma.38.1589974645404; Wed, 20 May 2020 04:37:25 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP8o+d4ivAacHQiXUk96F0gDqFe2Qa6rPQsCBgDr_=wHrQ@mail.gmail.com> <CADNypP9hk+gpGuch0mxnePTVRMnn+GmCbpFpKYkVRV4C_FRUgA@mail.gmail.com> <cf39782e-3d76-4104-9430-164f8b1a9846@www.fastmail.com> <CADNypP_iar9CQaP8jqLHyXLCh2+Y7OOhdx3W3Qd93PFj2Fbd3w@mail.gmail.com>
In-Reply-To: <CADNypP_iar9CQaP8jqLHyXLCh2+Y7OOhdx3W3Qd93PFj2Fbd3w@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Wed, 20 May 2020 07:37:14 -0400
Message-ID: <CADNypP-_Bw6nw=5EgncBstYPbYTV1xiZ7fYUtS-Cr42_O=s+eA@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>, kaduk@mit.edu, barryleiba@computer.org
Cc: secdir@ietf.org, captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f0fb3805a612d1ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/pI2x9y2xrqZVDmhOMsJzc8iFEHg>
Subject: Re: [Captive-portals] Secdir last call review of draft-ietf-capport-rfc7710bis-04
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2020 11:37:30 -0000
Adding SecDir back to this thread. >Martin Thomson <mt@lowentropy.net> Tue, 19 May 2020 01:02 UTCShow header > >On Tue, May 19, 2020, at 07:08, Rifaat Shekh-Yusef wrote: >> it provides the client of the API >> an opportunity to authenticate the server that is hosting the API. >> This authentication is aimed at *allowing a user to be reasonably >> confident that the entity providing the Captive Portal API has a >> valid certificate for the hostname in the URI* >[...] >> An end user should be able to validate that the name is example.com and >> not any other form of the URI. >> It would be much more difficult for the end user to make sense and >> validate an IP address. > >I think that you missed the point of my comments. This validation, performed by >a user, has no meaningful security value. The text you cite says that the server >has a certificate for the name it chooses, which is not the same as "has a certificate >for a name the client expects". The difference is important. > This is not the way I read these statements from section 4.1 titled *Server Authentication*. Here is the use case I have in mind when I read this section: If I walk into an airport and I see an ad for a paid Internet service from example.com, then as an end user it is reasonable to expect that I would have some ability to make sense of the name presented to me and make sure it is from example.com if I choose to get such a service. If this is not the case, then yo might want to make it clear that this is not about *Server Authentication* as the title of the section and the text inside that section is suggesting. Regards, Rifaat >In a typical web scenario, a person types a string in and (ignore the case where there >is an extra hop via a search engine) that string determines what is acceptable as a >server identity. The exposure to confusables is limited (under a set of other assumptions, >HSTS, etc...). Here, the network has free reign to do as they choose with homoglyphs and >other such nonsense. Any expectation you might have about this really being a trustworthy >entity is meaningless in this context. > >There are protections against this, but they all lie firmly in the anti-phishing domain. >Most of those rely on having a certificate though, so the requirement for HTTPS is in >service of that, not in terms of ensuring that an untrained human can make a security >critical decision based on poisoned information. On Mon, May 18, 2020 at 5:08 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote: > Adding Ben. > > > On Sun, May 17, 2020 at 9:26 PM Martin Thomson <mt@lowentropy.net> wrote: > >> Adding more lists. >> >> On Sun, May 17, 2020, at 02:50, Rifaat Shekh-Yusef wrote: >> > > Here is a quote form the API document: >> > > "The hostname of the API SHOULD be displayed to the user in order to >> indicate the entity which is providing the API service." >> > > >> > > This seems to suggest that the user is expected to inspect the >> displayed name and make sure it is make sense in the context of whoever is >> providing that service. >> >> I don't think that is the case. If this were a security mechanism, then >> it would use "MUST". This is likely for the purpose of enabling some sort >> of accountability. In other words, this is to offer maximal information >> about what is going on. >> >> Here is the sentence just before the above quote from the API document: > > it provides the client of the API > an opportunity to authenticate the server that is hosting the API. > This authentication is aimed at *allowing a user to be reasonably > confident that the entity providing the Captive Portal API has a > valid certificate for the hostname in the URI* > > > > > >> > > Since this would be an easier attack compared to the interception >> attack, and IP address is still permitted, then an attacker might force the >> use of IP address to make it harder for the user to make sense of the >> displayed name. >> >> I don't think that is materially different than getting a name with >> confusable characters (or using the prefix hack, example.com.<some-guid>.example, >> in an attempt to confuse). >> > > An end user should be able to validate that the name is example.com and > not any other form of the URI. > It would be much more difficult for the end user to make sense and > validate an IP address. > > Regards, > Rifaat > >
- [Captive-portals] Secdir last call review of draf… Rifaat Shekh-Yusef via Datatracker
- Re: [Captive-portals] Secdir last call review of … Erik Kline
- Re: [Captive-portals] Secdir last call review of … Martin Thomson
- Re: [Captive-portals] Secdir last call review of … Erik Kline
- Re: [Captive-portals] Fwd: [Last-Call] Secdir las… Benjamin Kaduk
- Re: [Captive-portals] Fwd: [Last-Call] Secdir las… Erik Kline
- Re: [Captive-portals] Fwd: [Last-Call] Secdir las… Erik Kline
- Re: [Captive-portals] Fwd: [Last-Call] Secdir las… Barry Leiba
- Re: [Captive-portals] Fwd: [Last-Call] Secdir las… Erik Kline
- Re: [Captive-portals] Fwd: [Last-Call] Secdir las… Erik Kline
- Re: [Captive-portals] Fwd: [Last-Call] Secdir las… Barry Leiba
- Re: [Captive-portals] Secdir last call review of … Martin Thomson
- Re: [Captive-portals] Secdir last call review of … Rifaat Shekh-Yusef
- Re: [Captive-portals] Secdir last call review of … Martin Thomson
- Re: [Captive-portals] Secdir last call review of … Rifaat Shekh-Yusef
- Re: [Captive-portals] Secdir last call review of … Erik Kline
- Re: [Captive-portals] Secdir last call review of … Rifaat Shekh-Yusef
- Re: [Captive-portals] Secdir last call review of … Tommy Pauly
- Re: [Captive-portals] Secdir last call review of … Rifaat Shekh-Yusef
- Re: [Captive-portals] Secdir last call review of … Erik Kline
- Re: [Captive-portals] Secdir last call review of … Rifaat Shekh-Yusef