Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

Tobias Gondrom <> Tue, 20 January 2015 01:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 99E7A1A898E for <>; Mon, 19 Jan 2015 17:30:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -95.665
X-Spam-Status: No, score=-95.665 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=1.951, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, J_BACKHAIR_33=1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CXl-ZvEjGJhc for <>; Mon, 19 Jan 2015 17:30:40 -0800 (PST)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1E2BC1A8859 for <>; Mon, 19 Jan 2015 17:30:40 -0800 (PST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 029CE631BC; Tue, 20 Jan 2015 02:30:35 +0100 (CET)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=qMB8a9BL3JGOTzRDEuP/x+Jrc6ZumO5eq+35FNfL/KJfNAi3zhDTQ95AlakWOuw74lZ5Z99p7xpk2zzudMStBgevUGakQpcYNcNK2G1ujLJmAoYHxCtPplCQP6PYHECZn3zfwFzNYlEu2VUpw0CeFMB+3AC0hKWdFLoLRZr2VAk=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Message-ID: <>
Date: Tue, 20 Jan 2015 01:30:35 +0000
From: Tobias Gondrom <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Jan 2015 01:30:42 -0000

Hi Chris,

good to hear.

And just to add: even without websec, if you think something that goes 
beyond DNS namespace relationships or the scope of the other WG is 
needed, at the IETF there is also the possibility for individual 
submissions. Downside with individual drafts is, it is much harder to 
get good community review and assemble a team working on the draft. But 
this option is available.

All the best, Tobias

On 20/01/15 01:22, Chris Hartmann wrote:
> Thanks Jeff, Tobias.
> Yes, dbound does seem to resonate pretty well with where I was going
> here. Ironic and fortunate to catch it now while it's still
> crystalizing. Although I believe there is room to contemplate
> extending the concept beyond pure DNS namespace relationships (I'd
> like to see URI<->URI), some of the core problems/principals seem to
> be the same, great.
> Chris
> On Wed, Jan 14, 2015 at 4:16 AM, Tobias Gondrom
> <>; wrote:
>> Hi Chris, hi all,
>> let me say, I can see a missing link here which would be nice to solve.
>> Btw. another example coming to mind would be the connection with external
>> payment services or increasing number of references to cloud based services
>> (where it is not sure that is indeed using
>> E.g. e-commerce sites linking to paypal or Mastercard / Visa vericode (or
>> whatever they call it) directly out of the e-commerce site...
>> Some improvement in the trust chain could indeed be valuable here.
>> Having said that, if another WG is already working in this area - Jeff
>> mentioned dbound - then my recommendation would be to take the work there.
>> WEBSEC is about to be closed, we are only waiting for the final release of
>> our last document.
>> Best regards, Tobias
>> On 14/01/15 00:44, Jeffrey Walton wrote:
>>>> Is this a security problem? I think so.
>>> Yes. Knowing the relationship would be helpful in a security context.
>>>> I have a few ideas on how this could be improved/implemented.
>>> Dbound is poking and prodding at related issues. And they are
>>> finalizing their charter now. You might consider reading some of the
>>> recent posts and commenting.
>>> Jeff
>>> On Mon, Jan 12, 2015 at 2:18 PM, Chris Hartmann <>;
>>> wrote:
>>>> 1) Bob trusts and does personal business with
>>>> 2) forms a business relationship with to perform a
>>>> business function on its behalf (payment processor, blog, whatever).
>>>> The landing page is
>>>> 3) Bob visits and notices that the page claims to be
>>>> affiliated and owned by
>>>> 4) How can Bob, in absolute terms, trust that is affiliated
>>>> and a delegated service by (say, prior to submitting sensitive
>>>> information)
>>>> Is this a security problem? I think so.
>>>> We’ve all had to make this decision one time or another on weak
>>>> inferences and correlations. I’d imagine Phishers don’t mind at all
>>>> that there is an inability for the common internet user (looking at
>>>> you grandma) to make the judgement call on web service affiliations.
>>>> They’ve been conditioned with the best practice of looking at the
>>>> address bar (and perhaps the DNS namespace) along with the lock icon
>>>> to indicate trustworthiness, which may actually help the attacker in
>>>> their act of misdirection. Inter-domain relationships model business
>>>> relationships and trust. If web users could be armed with a new
>>>> “sense” which proves these legitimate relationships (say
>>>> cryptographically) then perhaps they would have more reason to be
>>>> skeptical of those who cannot prove their affiliation. I’m not saying
>>>> we can take human judgement completely out of the equation, but why
>>>> not have a tool to help anchor this commonly needed and risky
>>>> correlation.
>>>> Eg:
>>>> 5) is a bad guy and claims the same thing as .
>>>> Now who to trust becomes a research project. (But has the https
>>>> lock icon, doesn’t that count for anything: NO)
>>>> Use case a) Tim submits a payment to a Paypal donation
>>>> page he found via his favorite search engine. It was a scam. (We can
>>>> argue a violation of "best practices" here, but that is besides the
>>>> point)
>>>> I suppose phishing isn’t the only example. It could apply to any case
>>>> where you want to logically group the identity of one entity across
>>>> many domain boundaries owned by different parties. (eg. A popular band
>>>> has many web points of presence for fans, etc). This same mechanism
>>>> could “certify” that these web assets are under one umbrella, although
>>>> they don’t exist under one domain hierarchy.
>>>> Should we solve this? Is it solved already? Could use help gelling or
>>>> junking this idea.
>>>> I have a few ideas on how this could be improved/implemented.
>>>> Cheers,
>>> _______________________________________________
>>> websec mailing list