IETF Logo Mail Archive

Re: [TLS] [certid] review of draft-saintandre-tls-server-id-check-09

Marsh Ray <marsh@extendedsubset.com> Thu, 23 September 2010 15:56 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DFA543A6B0E; Thu, 23 Sep 2010 08:56:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[AWL=0.558, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPvoH0LItmOd; Thu, 23 Sep 2010 08:56:49 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 73DC83A698F; Thu, 23 Sep 2010 08:56:48 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OyoAf-000NXC-Pd; Thu, 23 Sep 2010 15:57:17 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 975CA6029; Thu, 23 Sep 2010 15:57:09 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/2JR+pKoEGJ4hjZWy81NDrlQDQhsP/hNk=
Message-ID: <4C9B78D5.4090907@extendedsubset.com>
Date: Thu, 23 Sep 2010 10:57:09 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8
MIME-Version: 1.0
To: mrex@sap.com
References: <201009230148.o8N1m825020375@fs4113.wdf.sap.corp>
In-Reply-To: <201009230148.o8N1m825020375@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "Henry B. Hotz" <hotz@jpl.nasa.gov>, certid@ietf.org, ietf@ietf.org, tls@ietf.org
Subject: Re: [TLS] [certid] review of draft-saintandre-tls-server-id-check-09
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2010 15:56:50 -0000

On 09/22/2010 08:48 PM, Martin Rex wrote:
> Henry B. Hotz wrote:
>>
>> [...] For example the user may trust a dedicated discovery service
>> or identity service that securely redirects requests from the source
>> to a target domain.
>
> Thinking about it, I feel slightly uneasy about some redirects, such as
> https://gmail.com  ->  301 ->   https://mail.google.com/mail
>
> I think these should never go without a warning.

That bugs me too. Lots of sites do it though, usually with Javascript.

> If my banks online-banking portal (https://www.<mybank>.de)
> would suddently redirect me to https://www.<mybank>.com before
> asking me for credentials and transaction authorization codes,
> that would be a real security problem, because www.<mybank>.com
> is not leased by my bank (it is apparently not currently leased to anyone)

Yep. There are often ways to make that happen with just a blind 
plaintext injection capability, too.

> A hacker that breaks into a web-site in order to do trap
> victims

The site is now 100% (to use the technical term) "pwned".

It's not possible for a network security protocol to survive the 
compromise of one of the endpoints. We can no longer reason about Alice 
and Bob if Bob is allowed to be under the hypnotic control of Eve.

I think it's dangerous to try. We're likely to optimize for cases of 
dubious security at the expense of some properly functioning cases.

> might be less easily detected if he doesn't subvert
> the entire site and tries to send collected data to external
> places, but instead puts redirects into place that browsers
> will blindly and silently follow, maybe additionally filtering
> the clients that will be redirected based on their origin,
> so that the helpdesk and security guys can not immediately
> repro it with their browsers.
>
> Should a users decision to trust a particular service with
> a particular issue always imply that this particular service
> is a fully trusted naming service (i.e. one that performs
> secure name transformations)?

There are lots of ways a site can delegate its security like that. They 
could load Javascript or HTML from external sites, for example. They can 
use headers and script to broaden the origin which the browser trusts.

http://code.google.com/p/browsersec/wiki/Part2

Not to mention that they could simply proxy the requests on the server 
side, outsource their servers to someone untrustworthy, add insecure 3rd 
party tracking cookies, redirect via non-SSL HTTP, and so on.

Once your browser trusts a server to serve some domain/origin, there's 
almost nothing that server can't do with its identity, including 
delegate it to someone else (intentionally or not).

- Marsh

v2.23.0 | Report a Bug | By Email