Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf-dime-rfc4006bis-08: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Thu, 24 May 2018 19:24 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77947129BBF; Thu, 24 May 2018 12:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rjwtMLWaCo2T; Thu, 24 May 2018 12:24:14 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 366F1127869; Thu, 24 May 2018 12:24:14 -0700 (PDT)
X-AuditID: 12074423-6abff700000069f1-26-5b07115c31e9
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 58.D6.27121.C51170B5; Thu, 24 May 2018 15:24:12 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w4OJOAuR010972; Thu, 24 May 2018 15:24:10 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w4OJO1eJ013462 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 24 May 2018 15:24:05 -0400
Date: Thu, 24 May 2018 14:24:01 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Ben Campbell <ben@nostrum.com>
Cc: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, yuvalif=40yahoo.com@dmarc.ietf.org, draft-ietf-dime-rfc4006bis@ietf.org, dime-chairs@ietf.org, dime@ietf.org, IESG <iesg@ietf.org>
Message-ID: <20180524192400.GL32807@kduck.kaduk.org>
References: <152699690275.31181.16673564293046142291.idtracker@ietfa.amsl.com> <57F7AC78-C094-402D-8834-3AC049EED31E@nostrum.com> <380581659.4450262.1527064311638@mail.yahoo.com> <20180523135822.GA32807@kduck.kaduk.org> <1467920717.4840713.1527142671894@mail.yahoo.com> <CAKKJt-f+=M+VHReeE-0=787kkSNgGZp6nzX6i9+dbOEoF-yBCA@mail.gmail.com> <20180524131619.GH32807@kduck.kaduk.org> <D1953E63-04AF-48C0-854A-914F8E77E20E@nostrum.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR"
Content-Disposition: inline
In-Reply-To: <D1953E63-04AF-48C0-854A-914F8E77E20E@nostrum.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKKsWRmVeSWpSXmKPExsUixCmqrBsjyB5tcGifjMX8ztPsFmsPplnM 7V3BZrFk4gRWixl/JjJbLJuyh9micfVPFgd2jxPLrrB67Jx1l91jyZKfTB6zdj5hCWCJ4rJJ Sc3JLEst0rdL4MrYNvkOc8FNzYprBxewNTDeUupi5OCQEDCReP0nuouRi0NIYDGTxPUbt5kh nI2MEj/P97NAOFeZJFa+XQuU4eRgEVCVeHT+HSOIzSagItHQfRksLiKgJPG8eStYA7PALUaJ jvt/wRLCAtkSnyZMYAOxeYHWnVrRBbViD7PE2+8XGCESghInZz5hAbGZBcokLmzrYQa5j1lA WmL5Pw6QMKeAvcSZ5S2sILaogLLE3r5D7BMYBWYh6Z6FpHsWQjdEWEvixr+XTBjC2hLLFr5m hrBtJdate8+ygJF9FaNsSm6Vbm5iZk5xarJucXJiXl5qka6ZXm5miV5qSukmRlAssbso72B8 2ed9iFGAg1GJh3fDAbZoIdbEsuLK3EOMkhxMSqK8a/8BhfiS8lMqMxKLM+KLSnNSiw8xqgDt erRh9QVGKZa8/LxUJRHe7l9AdbwpiZVVqUX5MGXSHCxK4rw5ixijhQTSE0tSs1NTC1KLYLIy HBxKErzyAuzRQoJFqempFWmZOSUIaSYOzkOMEhw8QMPngtTwFhck5hZnpkPkTzHqcnS8n9LD LAR2gZQ4bytIkQBIUUZpHtwcUGqUyN5f84pRHOhFYd61IFU8wLQKN+kV0BImoCUXlzODLClJ REhJNTDmV7+f+zX9t7nnwnfXG+ur2NkmeW1/0iiZHn/7/ZW++tK1291O1Z3LucvHk5aeGx2+ 56lU/BdLifnnE0v51+969Er+uMMGRW4D1mt3Rer990mUmmbN73zRyz8rg6HsPNftTY+y4ja0 XZv4qVJEetnGGHnNwwz9Exg1S24++9bMsjFOYeLnQ55KLMUZiYZazEXFiQBPvZhPaAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dime/xF7KS5i7rmwgazq3Twcg5BMadMY>
Subject: Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf-dime-rfc4006bis-08: (with DISCUSS and COMMENT)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 19:24:17 -0000
On Thu, May 24, 2018 at 02:17:31PM -0500, Ben Campbell wrote: > > > > On May 24, 2018, at 8:16 AM, Benjamin Kaduk <kaduk@MIT.EDU> wrote: > > > > ... it's unclear to me that this document is the right place for > > such guidance. That is, instead of a concrete recommendation, I had > > in mind just giving some extra facts that would allow the reader to > > consider the security implications of their deployment (this is the > > Security Considerations, after all), as in something like: > > > > This document includes a redirection facility whereby the service > > provider can redirect (in an application-specific way) the end user > > to an alternate location when their credits have expired. This is > > useful in that it allows for the user to return to normal service > > quickly, but also exposes additional risks and attack surface. In > > particular, this redirection can potentially occur at an > > arbitrary point in a user's session, potentially without any > > additional contextual confirmation available to the user that the > > redirection is driven by the network. Such a confirmation is > > important because, in many application protocols, the communication > > peer is also capable of inducing redirection, and when the peer is > > an attacker, the redirection can be to an attacker-controlled site. > > In particular, such sites may be "phishing" sites designed to appear > > similar to legitimate payment sites in an attempt to obtain users' > > payment information for fraudulent uses. Because of the potentially > > harmful consequences of arbitrary redirection by an attacker (such > > as to phishing sites), it can be important for users and service > > providers to be aware of the risk and take measures to ensure that > > sensitive information (such as payment information) is only used for > > legitmiate purposes. If an out-of-band signalling channel is > > available to provide contextual information that a redirection is > > triggered by the network as opposed to a communications peer, that > > can provide a highly effective mechanism for remediating this class > > of risk. > > > > (The above may well be too wordy and could benefit from editing, of > > course.) > > Based on our discussion on the telechat, how about something like the following? > > "This document includes a redirection facility whereby the service > provider can redirect (in an application-specific way) the end user > to an alternate location when their credits have expired. This is > useful in that it allows for the user to return to normal service > quickly, but also exposes additional risks and attack surface. In > particular, this redirection can potentially occur at an > arbitrary point in a user's session, potentially without any > additional contextual confirmation available to the user that the > redirection is driven by the network. This lack of confirmation matters > because, in many application protocols, the communication > peer is also capable of inducing redirection. When the peer is > an attacker, the redirection can be to an attacker-controlled site. > In particular, such sites may be "phishing" sites designed to appear > similar to legitimate payment sites in an attempt to obtain users' > payment information for fraudulent uses. When users become used > to such redirection, they may have difficulty distinguishing such "such" might be ambiguous here; maybe "network-induced" or "network-driven"? > attacks from legitimate redirections. > > Because of the potentially > harmful consequences of arbitrary redirection by an attacker (such > as to phishing sites), it can be important for users and service > providers to be aware of the risk and take measures to ensure that > sensitive information (such as payment information) is only used for > legitmiate purposes. Operators should follow industry best practices I see my typo for "legitimate" is preserved :) > for the specific application layer protocol to reduce the chances that > such attacks could be mistaken for legitimate redirection. The details > of such practice are out of scope for this document." The above nitpicking aside, I think this text suffices to resolve my DISCUSS point. (And I guess we're going with removing "instead of" to resolve the other one?) -Benjamin
- [Dime] Benjamin Kaduk's Discuss on draft-ietf-dim… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Ben Campbell
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Yuval Lifshitz
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Yuval Lifshitz
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Spencer Dawkins at IETF
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Ben Campbell
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Ben Campbell
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Yuval Lifshitz
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Yuval Lifshitz
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Dime] Benjamin Kaduk's Discuss on draft-ietf… Yuval Lifshitz