[secdir] Secdir review of draft-ietf-simple-chat-14

Vincent Roca <vincent.roca@inria.fr> Wed, 04 April 2012 13:53 UTC

Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 78EB221F8470; Wed, 4 Apr 2012 06:53:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.715
X-Spam-Status: No, score=-109.715 tagged_above=-999 required=5 tests=[AWL=0.535, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id bOH-C4ztgp3C; Wed, 4 Apr 2012 06:53:40 -0700 (PDT)
Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr []) by ietfa.amsl.com (Postfix) with ESMTP id 6D78421F8796; Wed, 4 Apr 2012 06:53:39 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.75,369,1330902000"; d="scan'208";a="152697882"
Received: from unknown (HELO []) ([]) by mail1-relais-roc.national.inria.fr with ESMTP/TLS/AES128-SHA; 04 Apr 2012 15:53:30 +0200
From: Vincent Roca <vincent.roca@inria.fr>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Wed, 04 Apr 2012 15:50:10 +0200
Message-Id: <51DE5E2E-1D51-4025-B55C-4B09EFA62468@inria.fr>
To: IESG IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-simple-chat.all@tools.ietf.org
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [secdir] Secdir review of draft-ietf-simple-chat-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 13:53:40 -0000


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

The authors, in section 11, discuss several simple security issues.
However I have the feeling that there aren't enough details on how to
avoid/mitigate them. Additionally, I'm not sure the section provides a
comprehensive analysis of security aspects. What about intelligent,
more elaborate attacks? 

Details for section 11 "Security considerations"

** The second paragraph explains several situations where a message can
be sent to several recipients without the sender knowing. It's a good
point to identify this problem, but I'd like to know how it can be
avoided (if possible). 
** It is said:
   "It's up to the policy of the MSRP
   switch if the messages are forwarded to the other participant's in
   the chat room using TLS [RFC5246] transport."
I'm surprised to see that a participant has no way to enforce a secure
end-to-end connection. At a minimum, can the participant know the
situation in order to take a decision? 
** It is said:
   "To avoid takeovers the MSRP switch MUST make sure that a nickname is
   unique inside a chat room."
Do you mean the protocol does not guaranty by design that a nickname is
unique at some point of time in a chat room? If this is the case it's
clearly a flaw that should be addressed within the protocol description,
not in the security considerations section.

Another remark: it's not sufficient to guaranty the uniqueness of the
nickname. Phishing attacks show us that two close URLs can mislead a
user, even if the URLs differ by at least one character. It would be 
wiser to recommend that nicknames be significantly different (the MSRP
can probably check the distance between a proposed nickname and those
already registered in the chat session).

** last sentence:
The following sentence is a bit strange and unclear:
   "If a nickname can be reserved if it previously has been used by another
   participant in the chat room, is up to the policy of the chat room."
I suggest:
  It is up to the policy of the chat room to determine if a nickname that
  has been previously used by another participant of the chat room can
  be reserved or not.

** General:
Several threats are missing in this document. In particular, 
what about attacks where some traffic is intercepted and modified
on-the-fly by the attacker? What about faked messages sent by an
attacker to the MSRP? Can a participant use some integrity service? 
This is not discussed.
I'd like to see guidelines on how a participant or MSRP administrator
can define a secure mode of operation. If not possible, I'd like to
see a detailed discussion of existing risks.