Re: Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)
Iljitsch van Beijnum <iljitsch@muada.com> Mon, 10 September 2007 15:47 UTC
Return-path: <discuss-bounces@apps.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUlU6-00075t-9v; Mon, 10 Sep 2007 11:47:34 -0400
Received: from discuss by megatron.ietf.org with local (Exim 4.43) id 1IUUUn-0004uI-Sz for discuss-confirm+ok@megatron.ietf.org; Sun, 09 Sep 2007 17:39:09 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IUUUn-0004uA-JS for discuss@apps.ietf.org; Sun, 09 Sep 2007 17:39:09 -0400
Received: from sequoia.muada.com ([83.149.65.1]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IUUUl-0007dZ-OD for discuss@apps.ietf.org; Sun, 09 Sep 2007 17:39:09 -0400
Received: from [82.192.90.28] (nirrti.muada.com [82.192.90.28]) (authenticated bits=0) by sequoia.muada.com (8.13.3/8.13.3) with ESMTP id l89LZHTG073622 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 9 Sep 2007 23:35:17 +0200 (CEST) (envelope-from iljitsch@muada.com)
In-Reply-To: <46E2E54A.2050406@isode.com>
References: <46E2E54A.2050406@isode.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <8B056441-7E57-46D4-9A2C-5BF7DE0297BF@muada.com>
Content-Transfer-Encoding: 7bit
From: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt)
Date: Sun, 09 Sep 2007 23:37:45 +0200
To: Alexey Melnikov <alexey.melnikov@isode.com>
X-Mailer: Apple Mail (2.752.3)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
X-Mailman-Approved-At: Mon, 10 Sep 2007 11:47:32 -0400
Cc: ietf-http-auth@osafoundation.org, discuss@apps.ietf.org, saag@mit.edu, ietf@ietf.org, ietf-http-wg@w3.org
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: general discussion of application-layer protocols <discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org
On 8-sep-2007, at 20:09, Alexey Melnikov wrote: > This message is trying to summarize recent discussions on draft- > hartman-webauth-phishing-05.txt. > Several people voiced their support for the document (on IETF > mailing list and in various other off-list discussions). Ekr > doesn't think that the document should be published in the current > form and he has some good technical points that need to be > addressed. At least one more revision is needed to addressed recent > comments from Ekr and SecDir review. Here's an outsider review. What's an Ekr, btw? I really dislike the use of "fishing" with creative spelling in a document prepared for an international standards organization. The world certainly doesn't need more words that sound the same and differ in meaning only by the way they're written, and I'm not sure how prevalent this terminology is outside the US and/or the English speaking world. Please come up with something more descriptive. During the reading of this document, it occurred to me that HTTP digest authentication (RFC 2617) rather than the widely used practice of having security credentials be typed into an HTTP form would achieve 90% of the requirements all by itself. (More or less the same thing for S/MIME in mail.) The main part that's missing there is protection against a man in the middle. Obviously TLS goes through great pains to avoid men in the middle, but the document has no trouble throwing that out of the window: The attacker can also spoof trust markers such as the security lock, URL bar and other parts of the browser UI. And: Users do not typically understand certificates and cannot make informed decisions about whether the subject name in a certificate corresponds to the entity they are attempting to communicate with. As a consequence of this assumption, users will likely be fooled by strings either in website names or certificates that look visually similar but that are composed of different code points. Although I agree that a system that can work even under these assumptions would be great, I think it's harmful to adopt them in this way, because it sends a number of very bad messages: - it's ok for browser vendors to play fast and loose with security related UI elements such as the lock icon and the URL bar (i.e., have them controlled by the remote server) - it's ok for domain vendors to sell domains that use IDN trickery - it's ok for certificate vendors to sell certificates that seem to be tied to some known entity but are in reality tied to a different entity All of these are unacceptable and we as users of these services, community members, engineers and IETF members should do what we can to make sure that they don't happen. Last but not least, I'm guessing that "ben Laurie" is actually "Ben Laurie".
- Next step on web phishing draft (draft-hartman-we… Alexey Melnikov
- Re: [Ietf-http-auth] Next step on web phishing dr… Alexey Melnikov
- Re: [saag] Next step on web phishing draft (draft… der Mouse
- Re: [Ietf-http-auth] Next step on web phishing dr… Eric Rescorla
- Re: Next step on web phishing draft (draft-hartma… Bill Manning
- RE: Next step on web phishing draft(draft-hartman… Hallam-Baker, Phillip
- Re: Next step on web phishing draft (draft-hartma… Iljitsch van Beijnum
- Re: Next step on web phishing draft (draft-hartma… Iljitsch van Beijnum
- Re: [saag] Next step on web phishing draft(draft-… tom.petch
- RE: [Ietf-http-auth] Next step on web phishing dr… Paul Leach
- Re: [saag] [Ietf-http-auth] Next step on web phis… Jeffrey Hutzelman
- RE: Next step on web phishing draft(draft-hartman… Debbie Garside
- RE: Next step on web phishing draft(draft-hartman… Ned Freed
- Re: Next step on web phishing draft(draft-hartman… Keith Moore
- Re: Next step on web phishing draft(draft-hartman… Keith Moore
- RE: Next step on web phishingdraft(draft-hartman-… Debbie Garside
- Re: Next step on web phishingdraft(draft-hartman-… Keith Moore
- Re: [saag] [Ietf-http-auth] Next step on web phis… Shumon Huque
- Required doc sections (Re: [saag] Next step on we… Nicolas Williams