Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

Chris Hartmann <> Tue, 20 January 2015 01:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 020DD1A8AB7 for <>; Mon, 19 Jan 2015 17:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.7
X-Spam-Level: *
X-Spam-Status: No, score=1.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_BACKHAIR_33=1, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GYre7G9r_zfR for <>; Mon, 19 Jan 2015 17:22:51 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c01::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5752A1A8A05 for <>; Mon, 19 Jan 2015 17:22:51 -0800 (PST)
Received: by with SMTP id wp18so10602253obc.3 for <>; Mon, 19 Jan 2015 17:22:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=FgjVkrmJa0XXEvwOeXFqWr2/fV3HHngCox1gixifJag=; b=00ZPetqHm6z93rgAh5ud79sbJoBbO2DWfNBhnhDsw+5wy7PABU/v0VY4rBN3rNNNRc VtYeGKuXCGfnlXuLg2uWPtX/ahL0Fch8zBKnLmvUqVTdGGXz258v57cWgB1HIlfM7l/3 WAiTTKsGWGenoiYK/Hx1yt2FHV8LRQ9+t/gKVcdd6VJ1QQLUiOOTtzk4bDiEqSMdXNpz DUS97xJyt8CAPv+k5+PuXjdbi65PfSgmi/MigflqbagYKZft6ilf6PkaHzV3W7d2wfPF ZDLAwgMrUXM1K/fa5BTW4QZznOq8wXrkueRtVFOgW3VfBmM4WIPwuHwKv9rM+pwrCWtf a48Q==
MIME-Version: 1.0
X-Received: by with SMTP id y205mr19237879oig.60.1421716970548; Mon, 19 Jan 2015 17:22:50 -0800 (PST)
Received: by with HTTP; Mon, 19 Jan 2015 17:22:50 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
Date: Mon, 19 Jan 2015 17:22:50 -0800
Message-ID: <>
From: Chris Hartmann <>
To: Tobias Gondrom <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: websec <>
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Jan 2015 01:22:53 -0000

Thanks Jeff, Tobias.

Yes, dbound does seem to resonate pretty well with where I was going
here. Ironic and fortunate to catch it now while it's still
crystalizing. Although I believe there is room to contemplate
extending the concept beyond pure DNS namespace relationships (I'd
like to see URI<->URI), some of the core problems/principals seem to
be the same, great.


On Wed, Jan 14, 2015 at 4:16 AM, Tobias Gondrom
<>; wrote:
> Hi Chris, hi all,
> let me say, I can see a missing link here which would be nice to solve.
> Btw. another example coming to mind would be the connection with external
> payment services or increasing number of references to cloud based services
> (where it is not sure that is indeed using
> E.g. e-commerce sites linking to paypal or Mastercard / Visa vericode (or
> whatever they call it) directly out of the e-commerce site...
> Some improvement in the trust chain could indeed be valuable here.
> Having said that, if another WG is already working in this area - Jeff
> mentioned dbound - then my recommendation would be to take the work there.
> WEBSEC is about to be closed, we are only waiting for the final release of
> our last document.
> Best regards, Tobias
> On 14/01/15 00:44, Jeffrey Walton wrote:
>>> Is this a security problem? I think so.
>> Yes. Knowing the relationship would be helpful in a security context.
>>> I have a few ideas on how this could be improved/implemented.
>> Dbound is poking and prodding at related issues. And they are
>> finalizing their charter now. You might consider reading some of the
>> recent posts and commenting.
>> Jeff
>> On Mon, Jan 12, 2015 at 2:18 PM, Chris Hartmann <>;
>> wrote:
>>> 1) Bob trusts and does personal business with
>>> 2) forms a business relationship with to perform a
>>> business function on its behalf (payment processor, blog, whatever).
>>> The landing page is
>>> 3) Bob visits and notices that the page claims to be
>>> affiliated and owned by
>>> 4) How can Bob, in absolute terms, trust that is affiliated
>>> and a delegated service by (say, prior to submitting sensitive
>>> information)
>>> Is this a security problem? I think so.
>>> We’ve all had to make this decision one time or another on weak
>>> inferences and correlations. I’d imagine Phishers don’t mind at all
>>> that there is an inability for the common internet user (looking at
>>> you grandma) to make the judgement call on web service affiliations.
>>> They’ve been conditioned with the best practice of looking at the
>>> address bar (and perhaps the DNS namespace) along with the lock icon
>>> to indicate trustworthiness, which may actually help the attacker in
>>> their act of misdirection. Inter-domain relationships model business
>>> relationships and trust. If web users could be armed with a new
>>> “sense” which proves these legitimate relationships (say
>>> cryptographically) then perhaps they would have more reason to be
>>> skeptical of those who cannot prove their affiliation. I’m not saying
>>> we can take human judgement completely out of the equation, but why
>>> not have a tool to help anchor this commonly needed and risky
>>> correlation.
>>> Eg:
>>> 5) is a bad guy and claims the same thing as .
>>> Now who to trust becomes a research project. (But has the https
>>> lock icon, doesn’t that count for anything: NO)
>>> Use case a) Tim submits a payment to a Paypal donation
>>> page he found via his favorite search engine. It was a scam. (We can
>>> argue a violation of "best practices" here, but that is besides the
>>> point)
>>> I suppose phishing isn’t the only example. It could apply to any case
>>> where you want to logically group the identity of one entity across
>>> many domain boundaries owned by different parties. (eg. A popular band
>>> has many web points of presence for fans, etc). This same mechanism
>>> could “certify” that these web assets are under one umbrella, although
>>> they don’t exist under one domain hierarchy.
>>> Should we solve this? Is it solved already? Could use help gelling or
>>> junking this idea.
>>> I have a few ideas on how this could be improved/implemented.
>>> Cheers,
>> _______________________________________________
>> websec mailing list