Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

Jeffrey Walton <> Wed, 14 January 2015 00:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D7D361ACE23 for <>; Tue, 13 Jan 2015 16:44:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LM6O0-nxLyUs for <>; Tue, 13 Jan 2015 16:44:39 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C4F711ACE20 for <>; Tue, 13 Jan 2015 16:44:38 -0800 (PST)
Received: by with SMTP id hn15so19993126igb.1 for <>; Tue, 13 Jan 2015 16:44:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=dEMN7/nbQ8+Jx/umaQrDDN8GzruXsb92Xcnl6u/rYsI=; b=UAuRsyp2jN3N9uQAeWR8FjYNhQW9Rm0stUhnpnqQnHCZe+m0WWKpcxpWTZtKPtBB+E QssXZBJGKbnp3+4h8BmRuxi70QDLvqjD6t8EYIO+zAdURKjHozFc2oM6a8z8+cwIP009 kC8iAMfE2alouyjAolDVDomgxCcN5DZ4+UWWYU/FSVUwOuESUlVbgEzB4OL0lfM7GMVb CZ9zI9Vg8r0i6dF1H5C3+NSiR1rGEXaASl45TT72ykDU/d2dXJUrd+86Kfv7aiX+PAml IUFcYCB8B1TjH2unEltrY1RSaiEQziskqyWFc5V98wb6HCsBuetaa1VEXxIsGYkrEObT vXSA==
MIME-Version: 1.0
X-Received: by with SMTP id g11mr1454949igt.49.1421196277943; Tue, 13 Jan 2015 16:44:37 -0800 (PST)
Received: by with HTTP; Tue, 13 Jan 2015 16:44:37 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Tue, 13 Jan 2015 19:44:37 -0500
Message-ID: <>
From: Jeffrey Walton <>
To: Chris Hartmann <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: IETF WebSec WG <>
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Jan 2015 00:44:41 -0000

> Is this a security problem? I think so.

Yes. Knowing the relationship would be helpful in a security context.

> I have a few ideas on how this could be improved/implemented.

Dbound is poking and prodding at related issues. And they are
finalizing their charter now. You might consider reading some of the
recent posts and commenting.


On Mon, Jan 12, 2015 at 2:18 PM, Chris Hartmann <>; wrote:
> 1) Bob trusts and does personal business with
> 2) forms a business relationship with to perform a
> business function on its behalf (payment processor, blog, whatever).
> The landing page is
> 3) Bob visits and notices that the page claims to be
> affiliated and owned by
> 4) How can Bob, in absolute terms, trust that is affiliated
> and a delegated service by (say, prior to submitting sensitive
> information)
> Is this a security problem? I think so.
> We’ve all had to make this decision one time or another on weak
> inferences and correlations. I’d imagine Phishers don’t mind at all
> that there is an inability for the common internet user (looking at
> you grandma) to make the judgement call on web service affiliations.
> They’ve been conditioned with the best practice of looking at the
> address bar (and perhaps the DNS namespace) along with the lock icon
> to indicate trustworthiness, which may actually help the attacker in
> their act of misdirection. Inter-domain relationships model business
> relationships and trust. If web users could be armed with a new
> “sense” which proves these legitimate relationships (say
> cryptographically) then perhaps they would have more reason to be
> skeptical of those who cannot prove their affiliation. I’m not saying
> we can take human judgement completely out of the equation, but why
> not have a tool to help anchor this commonly needed and risky
> correlation.
> Eg:
> 5) is a bad guy and claims the same thing as .
> Now who to trust becomes a research project. (But has the https
> lock icon, doesn’t that count for anything: NO)
> Use case a) Tim submits a payment to a Paypal donation
> page he found via his favorite search engine. It was a scam. (We can
> argue a violation of "best practices" here, but that is besides the
> point)
> I suppose phishing isn’t the only example. It could apply to any case
> where you want to logically group the identity of one entity across
> many domain boundaries owned by different parties. (eg. A popular band
> has many web points of presence for fans, etc). This same mechanism
> could “certify” that these web assets are under one umbrella, although
> they don’t exist under one domain hierarchy.
> Should we solve this? Is it solved already? Could use help gelling or
> junking this idea.
> I have a few ideas on how this could be improved/implemented.
> Cheers,