IETF Logo Mail Archive

Re: [Captive-portals] Secdir last call review of draft-ietf-capport-rfc7710bis-04

Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Wed, 20 May 2020 11:37 UTC

Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D51EB3A08D5; Wed, 20 May 2020 04:37:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azKNhlmXAVOL; Wed, 20 May 2020 04:37:27 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 177063A08D4; Wed, 20 May 2020 04:37:26 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id g14so4526677wme.1; Wed, 20 May 2020 04:37:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uHBEg7gix26F6RCMQIpVhhiUWoQP1doHv9jK6id/dKA=; b=WPxdatTNqk4Ok2kloa1jD4DTN1UN7DIrvdqqnZXCzFPn2Dg/pSqZAVd8lol1Jh3uTb xZ3or3VW8FziSeznrxjN4D3bUTLr+1X+kNe16RJVsC1oiE0Rov4HF6sTMYA406AhVs9R Fa6bzmv8TP2QrcNBBZPLxUaEyvDxE+qGbu5AEClDiKdLR5KjRK+XJprb5aBWNX1bN1ss 8Stfj+Ke46Sm1Hiz73P6oleSpiloKHMicf/+n4komSvYCrINQVn1eNNeAiyMM19gR0yW 6ax6t1mWyxCg8QTejEwlBQLEKR65n+spaGxCe0FLWuybeW6z4yYCetZCyPC8xkLF2+ui khVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uHBEg7gix26F6RCMQIpVhhiUWoQP1doHv9jK6id/dKA=; b=HiTfIDlJZPQ89yLTN5+h1lDkin0vOkGeWrpuv1q6VlFF51pLBbiYKmygcEAPBWVVwQ xZhEpDgjA1Wzpp9xJEFUTucIVMbKjzKFsX7fLzN33YiPSp4k0+D73CCxzwATVJwGvUVI YnjqTLcKOCwK3Rql4W9xtp6HUcO95GiLnWEoJprBKW8/LQL4XS1QLU8GHyFUNnX3ynQd OLlULVVQdIpu+NTuky+2J32QTn/BK+goemDBxW27TlkThafzqdvh+cDeziJLS3a6aEU1 L8cdNr3FW/RuGiXfRn8JzmKu5Sp0NoK1UDgD4mioJL0Ip75JNqJ+4I1Qqa9VJd783cI/ hFTA==
X-Gm-Message-State: AOAM532v1xGAw2H/19ldUNiVVfj9h7j73pS6kf6aDWnu1GRjDA57FGTL JLRi77jRYimbWz0dnnHFs5VvfJZdLmD0FhBs+Vk=
X-Google-Smtp-Source: ABdhPJyTS4uTmmx6oU4l5XZoh5g17wUa+6Cu3gBgj/O+rAhkkUfaE8S3fhyojCc8xltzvXbzpOlUZzlsFCn9gm5vKW8=
X-Received: by 2002:a1c:3b87:: with SMTP id i129mr4539753wma.38.1589974645404; Wed, 20 May 2020 04:37:25 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP8o+d4ivAacHQiXUk96F0gDqFe2Qa6rPQsCBgDr_=wHrQ@mail.gmail.com> <CADNypP9hk+gpGuch0mxnePTVRMnn+GmCbpFpKYkVRV4C_FRUgA@mail.gmail.com> <cf39782e-3d76-4104-9430-164f8b1a9846@www.fastmail.com> <CADNypP_iar9CQaP8jqLHyXLCh2+Y7OOhdx3W3Qd93PFj2Fbd3w@mail.gmail.com>
In-Reply-To: <CADNypP_iar9CQaP8jqLHyXLCh2+Y7OOhdx3W3Qd93PFj2Fbd3w@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Wed, 20 May 2020 07:37:14 -0400
Message-ID: <CADNypP-_Bw6nw=5EgncBstYPbYTV1xiZ7fYUtS-Cr42_O=s+eA@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>, kaduk@mit.edu, barryleiba@computer.org
Cc: secdir@ietf.org, captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f0fb3805a612d1ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/pI2x9y2xrqZVDmhOMsJzc8iFEHg>
Subject: Re: [Captive-portals] Secdir last call review of draft-ietf-capport-rfc7710bis-04
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2020 11:37:30 -0000

Adding SecDir back to this thread.


>Martin Thomson <mt@lowentropy.net> Tue, 19 May 2020 01:02 UTCShow header
>
>On Tue, May 19, 2020, at 07:08, Rifaat Shekh-Yusef wrote:
>>    it provides the client of the API
>>    an opportunity to authenticate the server that is hosting the API.
>>    This authentication is aimed at *allowing a user to be reasonably
>>    confident that the entity providing the Captive Portal API has a
>>    valid certificate for the hostname in the URI*
>[...]
>> An end user should be able to validate that the name is example.com and
>> not any other form of the URI.
>> It would be much more difficult for the end user to make sense and
>> validate an IP address.
>
>I think that you missed the point of my comments.  This validation,
performed by
>a user, has no meaningful security value.  The text you cite says that the
server
>has a certificate for the name it chooses, which is not the same as "has a
certificate
>for a name the client expects".  The difference is important.
>

This is not the way I read these statements from section 4.1 titled *Server
Authentication*.

Here is the use case I have in mind when I read this section:
If I walk into an airport and I see an ad for a paid Internet service from
example.com, then as an
end user it is reasonable to expect that I would have some ability to make
sense of the name
presented to me and make sure it is from example.com if I choose to get
such a service.

If this is not the case, then yo might want to make it clear that this is
not about *Server Authentication*
as the title of the section and the text inside that section is suggesting.

Regards,
 Rifaat



>In a typical web scenario, a person types a string in and (ignore the case
where there
>is an extra hop via a search engine) that string determines what is
acceptable as a
>server identity.  The exposure to confusables is limited (under a set of
other assumptions,
>HSTS, etc...).  Here, the network has free reign to do as they choose with
homoglyphs and
>other such nonsense.  Any expectation you might have about this really
being a trustworthy
>entity is meaningless in this context.
>
>There are protections against this, but they all lie firmly in the
anti-phishing domain.
>Most of those rely on having a certificate though, so the requirement for
HTTPS is in
>service of that, not in terms of ensuring that an untrained human can make
a security
>critical decision based on poisoned information.

On Mon, May 18, 2020 at 5:08 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
wrote:

> Adding Ben.
>
>
> On Sun, May 17, 2020 at 9:26 PM Martin Thomson <mt@lowentropy.net> wrote:
>
>> Adding more lists.
>>
>> On Sun, May 17, 2020, at 02:50, Rifaat Shekh-Yusef wrote:
>> > > Here is a quote form the API document:
>> > > "The hostname of the API SHOULD be displayed to the user in order to
>> indicate the entity which is providing the API service."
>> > >
>> > > This seems to suggest that the user is expected to inspect the
>> displayed name and make sure it is make sense in the context of whoever is
>> providing that service.
>>
>> I don't think that is the case.  If this were a security mechanism, then
>> it would use "MUST".  This is likely for the purpose of enabling some sort
>> of accountability.  In other words, this is to offer maximal information
>> about what is going on.
>>
>> Here is the sentence just before the above quote from the API document:
>
>    it provides the client of the API
>    an opportunity to authenticate the server that is hosting the API.
>    This authentication is aimed at *allowing a user to be reasonably
>    confident that the entity providing the Captive Portal API has a
>    valid certificate for the hostname in the URI*
>
>
>
>
>
>> > > Since this would be an easier attack compared to the interception
>> attack, and IP address is still permitted, then an attacker might force the
>> use of IP address to make it harder for the user to make sense of the
>> displayed name.
>>
>> I don't think that is materially different than getting a name with
>> confusable characters (or using the prefix hack, example.com.<some-guid>.example,
>> in an attempt to confuse).
>>
>
> An end user should be able to validate that the name is example.com and
> not any other form of the URI.
> It would be much more difficult for the end user to make sense and
> validate an IP address.
>
> Regards,
>  Rifaat
>
>

v2.23.0 | Report a Bug | By Email