IETF Logo Mail Archive

Re: [Model-t] w3c also thinking about threat models

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 23 September 2019 15:32 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C0BF1200C1 for <model-t@ietfa.amsl.com>; Mon, 23 Sep 2019 08:32:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zKaCkCqtl-aw for <model-t@ietfa.amsl.com>; Mon, 23 Sep 2019 08:32:07 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F92D120018 for <model-t@iab.org>; Mon, 23 Sep 2019 08:32:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E380EBE39; Mon, 23 Sep 2019 16:32:04 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1hEdC6kKVnds; Mon, 23 Sep 2019 16:32:04 +0100 (IST)
Received: from [134.226.36.93] (unknown [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A3B90BE2F; Mon, 23 Sep 2019 16:32:04 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1569252724; bh=fVmE8wYq/YdL6mK7BArNQU3euiJ126k6eR8noC9mmu4=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=qykjBysc7Gn93f1yxBZiVO9vqPWWC+387KTbx3Jx+1EpAGqCsCeonR4cUQT1pYh2p W+V27WnGjD3800FWTz49a4As/yqqMhH7l0goZOibg0cCinB8TTjD7FbYUu3aceBK6V FmpZDsYPLeMOQLIw4iIrNNf408ziLqAaDNuvC9dk=
To: Bret Jordan <jordan.ietf@gmail.com>
Cc: Dominique Lazanski <dml@lastpresslabel.com>, model-t@iab.org
References: <a327c668-6a17-bb9f-318e-e3cea6c6c1d0@cs.tcd.ie> <624F4CA6-8D84-4BD8-A74C-E5AE22709F72@lastpresslabel.com> <A30308F8-D2A5-45CF-88D9-D65240972D51@gmail.com> <27c70832-a631-4622-6119-3a47928c634e@cs.tcd.ie> <49EC2254-981B-4B79-9116-AC24385C2287@gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <e22b6512-ec19-24dd-56fa-38ac87d1a321@cs.tcd.ie>
Date: Mon, 23 Sep 2019 16:32:03 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <49EC2254-981B-4B79-9116-AC24385C2287@gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="zI5MQkWoLxEW4gQ1cLcQBqQq3a9BKS4O4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/iDyxDTvqMwb50P-LT2PnW0EkSnc>
Subject: Re: [Model-t] w3c also thinking about threat models
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 15:32:11 -0000

Bret,

On 23/09/2019 15:41, Bret Jordan wrote:

> Given how nearly all attacks, campaigns, malware, and intrusion sets
> use the web or software connecting to the web 

Malware (ab)using the web doesn't imply anything about
what might be right or wrong with the current web security
model though. Same as malware doing that doesn't imply
anything about the security model for IP, which is also
in use in almost all such cases.

I think that's an error that keeps cropping up in these
discussions that we might wanna try figure out some, i.e.,
(and generalising) if protocol-X can be abused for bad-thing-Y
in a way that's (from some vantage point) indistinguishable
from nominal use of protocol-X, then what does that say about
the threat model used to develop protocol-X? It might be
evidence that a better threat model would have resulted
in a better protocol-X, or, it might be due to a problem
with that vantage point (no longer) being a good place to
distinguish nominal behaviour vs. bad-thing-Y, for protocol-X.

In the case of the web, I think a lot of the issues raised
by folks like yourself seem to come down to the shift from
a cleartext to a ciphertext web changing the set of vantage
points from which one can (trivially) attempt to make such
distinctions.

That doesn't imply that the web security model is broken
though, given the set of trade-offs that have to be dealt
with. (And also given the set of IETF consensus positions
about e2e and not breaking crypto etc. that are relevant to
this discussion, if we want a successful outcome to bring
back into IETF-land.) Nor does that change mean that the set
of problems faced by enterprise networks are to be ignored,
but ISTM the current web security model and the practicalities
of changing that do constrain how one might sensibly go about
trying to improve the situation for users and operators of
such networks. (And I agree improvements are needed or I'd
not be interested in this discussion:-)

> to either compromise
> victims, 

Where web vulns are used as part of a compromise, then
yes, those indicate problems with the web security model.
Meaning the likes of XSS happens too easily etc. I guess
ideas to try improve those might mostly be better handled
in the W3C though, but discussing 'em here seems reasonable
as long as we keep that in mind.

> exfiltrate personal or private information from victims, or
> destroy victims’ information I think one could easily argue that your
> statement that there is "a reasonably worked out security model" is
> false.

Except that wasn't my statement, that's just a misquote.
What I said was "...a reasonably worked out, (even if
imperfect) security model (the SOP etc)..." after which
I bemoaned the privacy impacts of the current web;-)

Cheers,
S.

> 
> 
> 
> Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8
> ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however,
> the only thing that can not be unscrambled is an egg."
> 
>> On Sep 20, 2019, at 2:01 PM, Stephen Farrell
>> <stephen.farrell@cs.tcd.ie> wrote:
>> 
>> On 20/09/2019 18:48, Bret Jordan wrote:
>>> Yes, privacy is just one facet.
>> 
>> Sure, it's clearly true that privacy is not everything in the IETF
>> context, nor in w3c either. I guess the argument for putting more
>> focus on privacy in w3c might be that the web has a reasonably
>> worked out, (even if imperfect) security model (the SOP etc), but
>> that the web has been pretty awful for privacy. Well, that's an 
>> argument I'd make, not sure if the people involved in the w3c work
>> would:-)
>> 
>> S.
>> 
>>> 
>>> 
>>> Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8
>>> ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw,
>>> however, the only thing that can not be unscrambled is an egg."
>>> 
>>>> On Sep 20, 2019, at 11:12 AM, Dominique Lazanski
>>>> <dml@lastpresslabel.com> wrote:
>>>> 
>>>> 
>>>> 
>>>>> On 20 Sep 2019, at 11:26, Stephen Farrell
>>>>> <stephen.farrell@cs.tcd.ie> wrote:
>>>>> 
>>>>> 
>>>>> Hiya,
>>>>> 
>>>>> Hope we all had a nice summer break from this discussion, but
>>>>> I'd like to try see if we can get back at it, so I've added
>>>>> reviewing the various drafts folks have posted to my todo 
>>>>> list - I hope to send some comments/reviews in the next
>>>>> week-ish.
>>>>> 
>>>>> In the meantime, it looks like w3c are also thinking about
>>>>> threat models [1] which is interesting.
>>>>> 
>>>>> Cheers, S.
>>>> 
>>>> Thanks for kick starting this list again especially after the
>>>> summer!
>>>> 
>>>> Interesting W3C work, but I would add that they are only
>>>> looking at privacy threat models so they have that covered.
>>>> Perhaps we should look at system security threat models since
>>>> W3C has kicked off their work specifically on privacy. That way
>>>> we can be more holistic about the work.
>>>> 
>>>> Looking forward to the discussions.
>>>> 
>>>> Dominique
>>>> 
>>>> -- Model-t mailing list Model-t@iab.org 
>>>> https://www.iab.org/mailman/listinfo/model-t
>>> 
>>> 
>>> 
>> <0x5AB2FAF17B172BEA.asc>
> 
> 
>

v2.23.0 | Report a Bug | By Email