IETF Logo Mail Archive

Re: [Model-t] w3c also thinking about threat models

Dominique Lazanski <dml@lastpresslabel.com> Mon, 23 September 2019 16:04 UTC

Return-Path: <dml@lastpresslabel.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FDD6120152 for <model-t@ietfa.amsl.com>; Mon, 23 Sep 2019 09:04:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.438
X-Spam-Level: *
X-Spam-Status: No, score=1.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lastpresslabel-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 452RO-aWIxVd for <model-t@ietfa.amsl.com>; Mon, 23 Sep 2019 09:04:36 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8987D120137 for <model-t@iab.org>; Mon, 23 Sep 2019 09:04:35 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id t3so13348157edw.13 for <model-t@iab.org>; Mon, 23 Sep 2019 09:04:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lastpresslabel-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=cGisNiKJ5S4IMOAhS5ZWYfL8jFL0JE1A963K9vzibkc=; b=qBvVJ9f9RrTzY8MU2rF7hBpklnQ61vC9788woFhu2kdVOnqOJMT9bbchtkaZ9G1A4u Wy9l0v7s9U/1MNDgI+g/mWgCfcvTBZ9tNAidysRvod0sjIRuJje4J4qcTFIT2JAYJxrR jioLKFW0tzu6cDrSAeA3MP4rPANa7Jmwxbt7zowmG3aNJqE0QQy7Qr5mTGwM6I1EasLc WN6qk8sRQnmrABjdFFvNqpz5u6snwG+HAD2JU6KOmC1Wuy9Uxrfm4PR9j8n1zuYBUHgH 1+09yk7iOXOCS1fluuhWFMO9pzg+nPe/+gDGJQfeQtsQ+A66c/rtbZLerX1m7wHQlWy6 Uvvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=cGisNiKJ5S4IMOAhS5ZWYfL8jFL0JE1A963K9vzibkc=; b=Trw+WiQukR5JK92A/D185o1mxXO1b9nHoLDURICyBh4gl1ygeWVxfiagRD4uth+SDB UhaVu1dN/qVChx3GbMwDm2xh9AjFyja64UimI2QOlHh0LfVWVVDLLTNMBlVPeJXEQH4X fLCph9qR4U4/npvKxGW2IQ7PMPLqKj2Z/mr483NX5XzLtqN77Yzj0FDM/bLc/ERLQbHW xiBD6qFT1IoZYi3L91pHbYYWO45I43/bUd3iskB2+A9ZKLzb5IQyk4Yfybso8wR0VyQg a6FkMyZCik+IEw81iNI2gwbsFzft32Z7PhGz5BLnDFGFIh47cO2sxAeWKbWt0Z+DRN/d Zm3Q==
X-Gm-Message-State: APjAAAWHeMOFTQOgHIcZu7K+QzLp+ND9idFc27F5bxH294Xdj30hxcEX pnAJ4QMTYdfjufh2qBN+EOg+0w==
X-Google-Smtp-Source: APXvYqzZ7IBrpllO4MN63zRxLgUSNVo84BoYxfVlgOK3yliFk3jVkeBIeOgX/3EeuKrX3JesKqRt8Q==
X-Received: by 2002:a50:cfc7:: with SMTP id i7mr829259edk.89.1569254674067; Mon, 23 Sep 2019 09:04:34 -0700 (PDT)
Received: from [10.40.15.79] ([37.205.58.146]) by smtp.gmail.com with ESMTPSA id d13sm2472159edb.14.2019.09.23.09.04.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Sep 2019 09:04:33 -0700 (PDT)
From: Dominique Lazanski <dml@lastpresslabel.com>
Message-Id: <F223426B-625A-4710-970A-376428A8141D@lastpresslabel.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F59B32A1-6EA4-4E93-9BE8-BCC1073301AA"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 23 Sep 2019 17:04:18 +0100
In-Reply-To: <e22b6512-ec19-24dd-56fa-38ac87d1a321@cs.tcd.ie>
Cc: Bret Jordan <jordan.ietf@gmail.com>, model-t@iab.org
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <a327c668-6a17-bb9f-318e-e3cea6c6c1d0@cs.tcd.ie> <624F4CA6-8D84-4BD8-A74C-E5AE22709F72@lastpresslabel.com> <A30308F8-D2A5-45CF-88D9-D65240972D51@gmail.com> <27c70832-a631-4622-6119-3a47928c634e@cs.tcd.ie> <49EC2254-981B-4B79-9116-AC24385C2287@gmail.com> <e22b6512-ec19-24dd-56fa-38ac87d1a321@cs.tcd.ie>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/nGJBdZ_YHKYPumdXfI6ATRFVPjQ>
Subject: Re: [Model-t] w3c also thinking about threat models
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 16:04:39 -0000


> On 23 Sep 2019, at 16:32, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> Bret,
> 
> On 23/09/2019 15:41, Bret Jordan wrote:
> 
>> Given how nearly all attacks, campaigns, malware, and intrusion sets
>> use the web or software connecting to the web 
> 
> Malware (ab)using the web doesn't imply anything about
> what might be right or wrong with the current web security
> model though. Same as malware doing that doesn't imply
> anything about the security model for IP, which is also
> in use in almost all such cases.
> 
> I think that's an error that keeps cropping up in these
> discussions that we might wanna try figure out some, i.e.,
> (and generalising) if protocol-X can be abused for bad-thing-Y
> in a way that's (from some vantage point) indistinguishable
> from nominal use of protocol-X, then what does that say about
> the threat model used to develop protocol-X? It might be
> evidence that a better threat model would have resulted
> in a better protocol-X, or, it might be due to a problem
> with that vantage point (no longer) being a good place to
> distinguish nominal behaviour vs. bad-thing-Y, for protocol-X.
> 
> In the case of the web, I think a lot of the issues raised
> by folks like yourself seem to come down to the shift from
> a cleartext to a ciphertext web changing the set of vantage
> points from which one can (trivially) attempt to make such
> distinctions.
> 
> That doesn't imply that the web security model is broken
> though, given the set of trade-offs that have to be dealt
> with. (And also given the set of IETF consensus positions
> about e2e and not breaking crypto etc. that are relevant to
> this discussion, if we want a successful outcome to bring
> back into IETF-land.) Nor does that change mean that the set
> of problems faced by enterprise networks are to be ignored,
> but ISTM the current web security model and the practicalities
> of changing that do constrain how one might sensibly go about
> trying to improve the situation for users and operators of
> such networks. (And I agree improvements are needed or I'd
> not be interested in this discussion:-)

FWIW it would be useful to be all inclusive with ideas and threats and then define what is in and out of scope for the threat model rather than limit the scope right away. 

> 
>> to either compromise
>> victims, 
> 
> Where web vulns are used as part of a compromise, then
> yes, those indicate problems with the web security model.
> Meaning the likes of XSS happens too easily etc. I guess
> ideas to try improve those might mostly be better handled
> in the W3C though, but discussing 'em here seems reasonable
> as long as we keep that in mind.
> 
>> exfiltrate personal or private information from victims, or
>> destroy victims’ information I think one could easily argue that your
>> statement that there is "a reasonably worked out security model" is
>> false.
> 
> Except that wasn't my statement, that's just a misquote.
> What I said was "...a reasonably worked out, (even if
> imperfect) security model (the SOP etc)..." after which
> I bemoaned the privacy impacts of the current web;-)
> 
> Cheers,
> S.
> 
>> 
>> 
>> 
>> Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8
>> ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however,
>> the only thing that can not be unscrambled is an egg."
>> 
>>> On Sep 20, 2019, at 2:01 PM, Stephen Farrell
>>> <stephen.farrell@cs.tcd.ie> wrote:
>>> 
>>> On 20/09/2019 18:48, Bret Jordan wrote:
>>>> Yes, privacy is just one facet.
>>> 
>>> Sure, it's clearly true that privacy is not everything in the IETF
>>> context, nor in w3c either. I guess the argument for putting more
>>> focus on privacy in w3c might be that the web has a reasonably
>>> worked out, (even if imperfect) security model (the SOP etc), but
>>> that the web has been pretty awful for privacy. Well, that's an 
>>> argument I'd make, not sure if the people involved in the w3c work
>>> would:-)
>>> 
>>> S.
>>> 
>>>> 
>>>> 
>>>> Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8
>>>> ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw,
>>>> however, the only thing that can not be unscrambled is an egg."
>>>> 
>>>>> On Sep 20, 2019, at 11:12 AM, Dominique Lazanski
>>>>> <dml@lastpresslabel.com> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>>> On 20 Sep 2019, at 11:26, Stephen Farrell
>>>>>> <stephen.farrell@cs.tcd.ie> wrote:
>>>>>> 
>>>>>> 
>>>>>> Hiya,
>>>>>> 
>>>>>> Hope we all had a nice summer break from this discussion, but
>>>>>> I'd like to try see if we can get back at it, so I've added
>>>>>> reviewing the various drafts folks have posted to my todo 
>>>>>> list - I hope to send some comments/reviews in the next
>>>>>> week-ish.
>>>>>> 
>>>>>> In the meantime, it looks like w3c are also thinking about
>>>>>> threat models [1] which is interesting.
>>>>>> 
>>>>>> Cheers, S.
>>>>> 
>>>>> Thanks for kick starting this list again especially after the
>>>>> summer!
>>>>> 
>>>>> Interesting W3C work, but I would add that they are only
>>>>> looking at privacy threat models so they have that covered.
>>>>> Perhaps we should look at system security threat models since
>>>>> W3C has kicked off their work specifically on privacy. That way
>>>>> we can be more holistic about the work.
>>>>> 
>>>>> Looking forward to the discussions.
>>>>> 
>>>>> Dominique
>>>>> 
>>>>> -- Model-t mailing list Model-t@iab.org 
>>>>> https://www.iab.org/mailman/listinfo/model-t
>>>> 
>>>> 
>>>> 
>>> <0x5AB2FAF17B172BEA.asc>
>> 
>> 
>> 
> <0x5AB2FAF17B172BEA.asc>

v2.23.0 | Report a Bug | By Email