IETF Logo Mail Archive

Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf-dime-rfc4006bis-08: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 24 May 2018 13:16 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F8CB12E8DF; Thu, 24 May 2018 06:16:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z3GgmT8vMo9q; Thu, 24 May 2018 06:16:39 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70FD012EAB7; Thu, 24 May 2018 06:16:31 -0700 (PDT)
X-AuditID: 12074425-d63ff70000004f1a-c8-5b06bb2e3384
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 18.21.20250.E2BB60B5; Thu, 24 May 2018 09:16:30 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w4ODGSd6021855; Thu, 24 May 2018 09:16:29 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w4ODGLfO009942 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 24 May 2018 09:16:24 -0400
Date: Thu, 24 May 2018 08:16:22 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc: yuvalif=40yahoo.com@dmarc.ietf.org, Ben Campbell <ben@nostrum.com>, dime-chairs@ietf.org, dime@ietf.org, IESG <iesg@ietf.org>, draft-ietf-dime-rfc4006bis@ietf.org
Message-ID: <20180524131619.GH32807@kduck.kaduk.org>
References: <152699690275.31181.16673564293046142291.idtracker@ietfa.amsl.com> <57F7AC78-C094-402D-8834-3AC049EED31E@nostrum.com> <380581659.4450262.1527064311638@mail.yahoo.com> <20180523135822.GA32807@kduck.kaduk.org> <1467920717.4840713.1527142671894@mail.yahoo.com> <CAKKJt-f+=M+VHReeE-0=787kkSNgGZp6nzX6i9+dbOEoF-yBCA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAKKJt-f+=M+VHReeE-0=787kkSNgGZp6nzX6i9+dbOEoF-yBCA@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrIKsWRmVeSWpSXmKPExsUixCmqrau3my3a4NF5aYv5nafZLdYeTLOY 27uCzWLJxAmsFjP+TGS2WDZlD7NF4+qfLA7sHieWXWH12DnrLrvHkiU/mTxm7XzCEsASxWWT kpqTWZZapG+XwJVxfa9AwUSnirXTehgbGK+ZdDFyckgImEiceLaZtYuRi0NIYDGTxOL1l9gh nI2MEnMWX4VyrjJJ7F9ymxGkhUVAVaLj+iVmEJtNQEWiofsymC0iYC2xpa+TDcRmFtjBKDF7 hjiILSyQLfFpwgSwOC/QuquzbrNADL3DJPG3ZSoLREJQ4uTMJywQzeoSf+aBLOAAsqUllv/j gAjLSzRvnQ22i1MgUOLPjk3sILaogLLE3r5D7BMYBWchmTQLyaRZCJNmIZm0gJFlFaNsSm6V bm5iZk5xarJucXJiXl5qka6FXm5miV5qSukmRlBssLuo7mCc89frEKMAB6MSD++FVNZoIdbE suLK3EOMkhxMSqK8Tsxs0UJ8SfkplRmJxRnxRaU5qcWHGCU4mJVEeBckAeV4UxIrq1KL8mFS 0hwsSuK8OYsYo4UE0hNLUrNTUwtSi2CyMhwcShK8mruAGgWLUtNTK9Iyc0oQ0kwcnCDDeYCG u4HU8BYXJOYWZ6ZD5E8x6nJ0vJ/SwyzEkpeflyolzpsKUiQAUpRRmgc3B5TSJLL317xiFAd6 S5jXFqSKB5gO4Sa9AlrCBLTk4nJmkCUliQgpqQbG5d7pvWway6ZvLGq/vMWYY/vTe1WnNVy0 Aw9Kn1N9yfzMkeHxXj+Jd6qnfrjePRawP+xQ/bX3XAIsM8sPTbEzdX44NUui6bFsaJNf1OyH rZwqjXZ19o+/bt+5ZpuTr+OJDdu1A69/8jrDvfz8rQqWhujDvmtuGCRsuXD4q9qByKt3+yfM 3tO8V4mlOCPRUIu5qDgRAKRBzmVEAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/dime/HIqsmixjD0wQOQL-Do2uG6Pt8K8>
Subject: Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf-dime-rfc4006bis-08: (with DISCUSS and COMMENT)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 13:16:50 -0000

[trimming some quoted material]
On Thu, May 24, 2018 at 08:01:04AM -0500, Spencer Dawkins at IETF wrote:
> Keeping in mind that this is Benjamin's ballot thread, so what he thinks
> matters more than what I think ...
> 
> On Thu, May 24, 2018 at 1:20 AM Yuval Lifshitz <yuvalif=
> 40yahoo.com@dmarc.ietf.org> wrote:
> 
> > *inline*
> >
> > On Wednesday, May 23, 2018, 4:58:32 p.m. GMT+3, Benjamin Kaduk <
> > kaduk@mit.edu> wrote:
> >
> >
> > On Wed, May 23, 2018 at 08:31:51AM +0000, Yuval Lifshitz wrote:
> > >    On Wednesday, May 23, 2018, 6:32:47 a.m. GMT+3, Ben Campbell <
> > ben@nostrum.com> wrote:
> > >
> > >
> > > > On May 22, 2018, at 8:48 AM, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> > > >
> > > > ----------------------------------------------------------------------
> > > > DISCUSS:
> > > > ----------------------------------------------------------------------
> > > >
> > > > With the redirection schemes covered in Section 5.6.2, it sounds
> > > > like the user can be redirected (at the application protocol level,
> > > > e.g., HTTP or SIP) to a top-up server to purchase more credits.  I
> > > > don't see a way described how user agents can distinguish between a
> > > > Diameter-induced redirect and an attacker-induced redirect to a
> > > > (potentially phishing) site that accepts payment information.  To be
> > > > clear, the scenario here is that a user is using a credit-controlled
> > > > application session to talk to "arbitrary application servers",
> > > > including potentially attacker-controllled HTTP/SIP/etc. servers;
> > > > the attacker could introduce a redirect to a phishing page that asks
> > > > for payment information, and the user would be led to believe that
> > > > this was the normal flow for "my prepaid balance has been used up",
> > > > and give their payment information to the phishing site. I think
> > > > that either user agents need to give some indication that this
> > > > DIAMETER-level redirect is different than an
> > > > application-protocol-level redirect (e.g., http) or the Security
> > > > Considerations need to mention the risk of acclimating users to
> > > > arbitrary websites redirecting to sites asking for payment
> > > > credentials, which may or may not be legitimate sites.
> > > >
> > >
> > > I think it’s reasonable to mention the concern in the security
> > considerations. But I don’t see how a redirection based on this
> > specification is any different than any other time an HTTP browser or SIP
> > UA connects to a resource based on an arbitrary URL.
> >
> > In some sense, it's not.  My claim is more that users are being
> > conditioned to expect payment prompts to appear at "arbitrary times"
> > than a specific flaw in this workflow.
> >
> >
> > > But to put some more context around this, the Diameter client is
> > typically a Network Access Server (NAS) that the end user is using for
> > network access. The user is already at the mercy of that NAS, and that NAS
> > is at the mercy of the credit-control application server. The user’s trust
> > in that NAS seems to have the same issues whether or not this Diameter
> > application is used.
> > >
> > > [yuval] agree with Ben, if someone bad took control over the NAS, they
> > can do much worse
> >
> > I agree that the NAS could send traffic to "wherever", but my
> > objection could perhaps be categorized as more "social" than
> > "technical".  Maybe I should attempt to give an example (and you can
> > point out if I misunderstand things).
> >
> > I believe that a "normal usage" of this technology could be for a
> > user with a prepaid data plan to be using a web browser, and, e.g.,
> > connect successfully to https://example.com. Suppose that this
> > request used up their last remaining credits, and they click on a
> > link from that page.  Instead of going to the actual target of that
> > link, they are redirected to the data plan owner's top-up page,
> > which displays a message "your balance is zero; please enter credit
> > card information to purchase more data", the user pays, and can
> > potentially even be redirected back to the actual target of the link
> > they clicked on (though that's not key to my example).  Let's
> > consider what would happen in an "attack scenario", where the same
> > user has plenty of data quota remaining, and goes to
> > https://honest-achmed.com. They click on a link from that page,
> > which instead of going to an "actual site" that would be expected
> > from the context surrounding the link, actually goes to
> > http://[IP address controlled by attacker]/topup.html, which is
> > designed to look as similar as possible to the actual data plan
> > owner's top-up page.  The user may then enter their payment
> > information, and get redirected to a site with actual content,
> > believing that they have obtained more data quota from their
> > provider, when in reality they have given their credit card
> > information to a phisher.
> >
> > I don't see what mechanism is in place to allow the user to be able
> > to distinguish between the "normal usage" scenario and the "attack
> > scenario".  I also understand that this sort of technology is
> > already deployed and is seen as useful by both users and data
> > providers, so it seems unrealistic to expect to be able to get rid
> > of this usage entirely.  I do think that it is unreasonable for us
> > to enable this behavior without documenting the risks to the user,
> > though.
> >
> > *[yuval] I guess that there is nothing in the spec that technically
> > enables phishing, however, it makes the social engineering part of it
> > easier. How about the following addition to the security sections:*
> > *"It is RECOMMENDED that operators put in place mechanisms that would help
> > their subscribers identify a valid redirect operation from a malicious one"*
> >
> 
> I wouldn't dream of saying this is not a good idea, but I do wonder if this
> is the right document to call attention to that problem. It sure sounds
> more generic than "topping off my access credit".

I also am not saying this is not a good idea, but...

> Are the right people who need to be aware of that problem in order to fix
> it going to look to this document for guidance?
> 
> If the answer is "yes", go for it, but if that advice needs to be somewhere
> more visible, please do the right thing.

... it's unclear to me that this document is the right place for
such guidance.  That is, instead of a concrete recommendation, I had
in mind just giving some extra facts that would allow the reader to
consider the security implications of their deployment (this is the
Security Considerations, after all), as in something like:

This document includes a redirection facility whereby the service
provider can redirect (in an application-specific way) the end user
to an alternate location when their credits have expired.  This is
useful in that it allows for the user to return to normal service
quickly, but also exposes additional risks and attack surface.  In
particular, this redirection can potentially occur at an
arbitrary point in a user's session, potentially without any
additional contextual confirmation available to the user that the
redirection is driven by the network.  Such a confirmation is
important because, in many application protocols, the communication
peer is also capable of inducing redirection, and when the peer is
an attacker, the redirection can be to an attacker-controlled site.
In particular, such sites may be "phishing" sites designed to appear
similar to legitimate payment sites in an attempt to obtain users'
payment information for fraudulent uses.  Because of the potentially
harmful consequences of arbitrary redirection by an attacker (such
as to phishing sites), it can be important for users and service
providers to be aware of the risk and take measures to ensure that
sensitive information (such as payment information) is only used for
legitmiate purposes.  If an out-of-band signalling channel is
available to provide contextual information that a redirection is
triggered by the network as opposed to a communications peer, that
can provide a highly effective mechanism for remediating this class
of risk.

(The above may well be too wordy and could benefit from editing, of
course.)

-Benjamin

v2.23.0 | Report a Bug | By Email