IETF Logo Mail Archive

Re: [Model-t] w3c also thinking about threat models

Christian Huitema <huitema@huitema.net> Mon, 23 September 2019 19:57 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07CB9120957 for <model-t@ietfa.amsl.com>; Mon, 23 Sep 2019 12:57:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xkEHOhdpEf9I for <model-t@ietfa.amsl.com>; Mon, 23 Sep 2019 12:57:48 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B44DC1208C8 for <model-t@iab.org>; Mon, 23 Sep 2019 12:57:48 -0700 (PDT)
Received: from xse477.mail2web.com ([66.113.197.223] helo=xse.mail2web.com) by mx64.antispamcloud.com with esmtp (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1iCUSw-000210-8j for model-t@iab.org; Mon, 23 Sep 2019 21:57:47 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 46cZjG6HLmz1kdM for <model-t@iab.org>; Mon, 23 Sep 2019 12:52:18 -0700 (PDT)
Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1iCUNe-00067L-Of for model-t@iab.org; Mon, 23 Sep 2019 12:52:18 -0700
Received: (qmail 13578 invoked from network); 23 Sep 2019 19:52:18 -0000
Received: from unknown (HELO [192.168.200.66]) (Authenticated-user:_huitema@huitema.net@[72.235.197.82]) (envelope-sender <huitema@huitema.net>) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for <model-t@iab.org>; 23 Sep 2019 19:52:17 -0000
To: Watson Ladd <watsonbladd@gmail.com>, "Joel M. Halpern" <jmh@joelhalpern.com>
Cc: model-t@iab.org
References: <a327c668-6a17-bb9f-318e-e3cea6c6c1d0@cs.tcd.ie> <624F4CA6-8D84-4BD8-A74C-E5AE22709F72@lastpresslabel.com> <A30308F8-D2A5-45CF-88D9-D65240972D51@gmail.com> <27c70832-a631-4622-6119-3a47928c634e@cs.tcd.ie> <49EC2254-981B-4B79-9116-AC24385C2287@gmail.com> <e22b6512-ec19-24dd-56fa-38ac87d1a321@cs.tcd.ie> <D68AA072-F5A6-4535-8CB3-AE9ADD07476D@huitema.net> <65703c0a-9148-077f-53d8-4781419b6b50@joelhalpern.com> <CACsn0ckS-m5p3cc7T9TT0ejkbEphUWgjjsqOcaW7Bx4vOU6=PA@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <941e9585-2828-4e9f-1279-08e487f6b499@huitema.net>
Date: Mon, 23 Sep 2019 09:52:10 -1000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.1.0
MIME-Version: 1.0
In-Reply-To: <CACsn0ckS-m5p3cc7T9TT0ejkbEphUWgjjsqOcaW7Bx4vOU6=PA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------95CBD5CDB97DB466A8091363"
Content-Language: en-US
X-Originating-IP: 66.113.197.223
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0dWQ8c9lblW44odAlK6ziUapSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDXz6Yli32IJdAuJ3ivsC2SsRX qYbtEQV1z/L435ZRxFQ+AKVTAMjsgutb3SCeMId7+rYZvu7UEJiU3s27VgKHO7lwS3dBJTnTxDoD vBGGxpgwWbxrOZCJSMpTl/yE2fo2GM0/FQln02Joy/riMeAD7wZ6weYgSzquK2hxskqXvy8woCTx LKweTbuJ+19zsyHVGVmhMAaQ/AfCRwRe7yHm5oY+NYmsSGn+svMubxnbgm1cr18FZBEPC2/c16Xd 7sC9aC4xteE1WLqGS9YoqrsZ2DyteN0e+ECCv9/f+GPymkgDVo7QBKA4MctKq4ifYPcXFRL2K3LA EfDXVOdt7wDbuhdxf5Dwg9wMBX5ckCo48ayVGvgdM/14NhEhsQ0jllqEE9ykbJ7I9co1MAEE3ruN Xsm8UJsAPvDcVSKtDCYkioPY5Qx4fJOk03R5fJtf/Dv/dkIzS7m4GUpXCY1Y3j3ileQtX44ad09m ARiBoFHKYOu44D1K03PNuL1c0rhma4+rjZ44u04H4/nsmByWIgvGj3nw0Xqh9NKwd2lgtqS5yTYv UwPy3x0FYtCNEb10sHyQCLHEvD1OqP6bgZ4L66GcgBg66gs5OuzYxJgw5atIxeNDvjI/CYe5WPy0 +t1RP0azTfCvXMOkHSwUjTLtcthkepxMPnetLBJMh51NiRRoHIAvUatuelOpi3eKDFDYitKmmiK7 x42VjdzChZMe6O/Did+/hGXTmfhE+Dx2/NyzMXqQrGmAbenh9woCcos937b+vOnCUbNPgcPcQwzM gKHyQxUo+ql2ySTkvEFH/23XMww2BnTTFGX5/yI4Ky+1ZJcbGqc5H4PEZHeoI/d6LWFf332z7LMw LGdoi9FMQ5j9dQUvMi1YKAun15JQSJLyCT5k+MTObVKxHy/dols381l9r9ft9daDonlwd6LnuX+J u10=
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/7-XRoa_h2MV74a-cqstmdce5GDk>
Subject: Re: [Model-t] w3c also thinking about threat models
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 19:57:59 -0000

On 9/23/2019 9:26 AM, Watson Ladd wrote:
>
>
> On Mon, Sep 23, 2019, 11:07 AM Joel M. Halpern <jmh@joelhalpern.com
> <mailto:jmh@joelhalpern.com>> wrote:
>
>     It seems pretty clear to me that if we take the view that
>     everything is
>     in scope, we will not produce any useful improvements in our current
>     security considerations in any reasonably measurable time.
>
>     It seems to follow that if we want useful results, we had best find
>     somewhere to draw a line and agree that we will deal with some
>     well-defined scope.
>
>     Of course, if all people want is a place to complain about the
>     interaction of architecture, protocol, implementation, and underlying
>     hardware flaws, I guess we can just complain forever.
>
>
> Amen! But I think we can look at actual gaps in the network security
> model vs the host security model vs what programmers and users expect
> etc. XSS can be seen as a consequence of lacking quotation mechanisms
> in server interpolated strings.
>
> We also shouldn't privilege one use case over others.


To answer Joel, I think there is a middle ground between "everything is
in scope" and "we don't worry about the implementation of the
endpoints". Clearly, we cannot address the multiple ways in which
endpoint security fails. On the other hand, we can accept the
possibility that endpoint security will sometimes fail, and incorporate
that in the threat model. Endpoint security failures often only affects
the endpoint itself, such as "get a virus, lose your files". I am not
proposing that the IETF discusses that. But many times, endpoint
security failures affect a number of other systems.

For example, we recently saw attacks in which the hackers gain
possession of one of the replicated DNS servers for a TLD, which allowed
them to put up a fake web server for a domain inside that TLD and
attempt to capture login credentials for users of that domain. The
attacks was not perfectly executed, but it seems that they could also
have obtained valid TLS certificates for that TLD using automated
services. Single point of failure, fairly bad results. If that is not in
scope for the revised threat model, what is?

-- Christian Huitema

v2.23.0 | Report a Bug | By Email