Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

Chris Hartmann <cxhartmann@gmail.com> Tue, 20 January 2015 01:22 UTC

Return-Path: <cxhartmann@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 020DD1A8AB7 for <websec@ietfa.amsl.com>; Mon, 19 Jan 2015 17:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.7
X-Spam-Level: *
X-Spam-Status: No, score=1.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_BACKHAIR_33=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYre7G9r_zfR for <websec@ietfa.amsl.com>; Mon, 19 Jan 2015 17:22:51 -0800 (PST)
Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5752A1A8A05 for <websec@ietf.org>; Mon, 19 Jan 2015 17:22:51 -0800 (PST)
Received: by mail-ob0-f172.google.com with SMTP id wp18so10602253obc.3 for <websec@ietf.org>; Mon, 19 Jan 2015 17:22:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=FgjVkrmJa0XXEvwOeXFqWr2/fV3HHngCox1gixifJag=; b=00ZPetqHm6z93rgAh5ud79sbJoBbO2DWfNBhnhDsw+5wy7PABU/v0VY4rBN3rNNNRc VtYeGKuXCGfnlXuLg2uWPtX/ahL0Fch8zBKnLmvUqVTdGGXz258v57cWgB1HIlfM7l/3 WAiTTKsGWGenoiYK/Hx1yt2FHV8LRQ9+t/gKVcdd6VJ1QQLUiOOTtzk4bDiEqSMdXNpz DUS97xJyt8CAPv+k5+PuXjdbi65PfSgmi/MigflqbagYKZft6ilf6PkaHzV3W7d2wfPF ZDLAwgMrUXM1K/fa5BTW4QZznOq8wXrkueRtVFOgW3VfBmM4WIPwuHwKv9rM+pwrCWtf a48Q==
MIME-Version: 1.0
X-Received: by 10.202.225.214 with SMTP id y205mr19237879oig.60.1421716970548; Mon, 19 Jan 2015 17:22:50 -0800 (PST)
Received: by 10.202.45.78 with HTTP; Mon, 19 Jan 2015 17:22:50 -0800 (PST)
In-Reply-To: <54B65E34.2050909@gondrom.org>
References: <CAL1pEULxwcStS6EDfYtpV+neU2izz2gLsJi2Ak7OVxB9x8MzhA@mail.gmail.com> <CAH8yC8=scFxjnxKLvzfaJ8qwp5-stXhX-6M7GagssjP7AzrGbw@mail.gmail.com> <54B65E34.2050909@gondrom.org>
Date: Mon, 19 Jan 2015 17:22:50 -0800
Message-ID: <CAL1pEU+_mD_-nXWq-pJA22jPgnTPOoCTdTi5rzUQQG1r-V1ncQ@mail.gmail.com>
From: Chris Hartmann <cxhartmann@gmail.com>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/7dsx9xvd8G6R1xymxsAavQ8lguE>
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jan 2015 01:22:53 -0000

Thanks Jeff, Tobias.

Yes, dbound does seem to resonate pretty well with where I was going
here. Ironic and fortunate to catch it now while it's still
crystalizing. Although I believe there is room to contemplate
extending the concept beyond pure DNS namespace relationships (I'd
like to see URI<->URI), some of the core problems/principals seem to
be the same, great.

Chris

On Wed, Jan 14, 2015 at 4:16 AM, Tobias Gondrom
<tobias.gondrom@gondrom.org>; wrote:
> Hi Chris, hi all,
>
> let me say, I can see a missing link here which would be nice to solve.
>
> Btw. another example coming to mind would be the connection with external
> payment services or increasing number of references to cloud based services
> (where it is not sure that a.com is indeed using b.com).
> E.g. e-commerce sites linking to paypal or Mastercard / Visa vericode (or
> whatever they call it) directly out of the e-commerce site...
>
> Some improvement in the trust chain could indeed be valuable here.
>
> Having said that, if another WG is already working in this area - Jeff
> mentioned dbound - then my recommendation would be to take the work there.
> WEBSEC is about to be closed, we are only waiting for the final release of
> our last document.
>
> Best regards, Tobias
>
>
>
>
>
> On 14/01/15 00:44, Jeffrey Walton wrote:
>>>
>>> Is this a security problem? I think so.
>>
>> Yes. Knowing the relationship would be helpful in a security context.
>>
>>> I have a few ideas on how this could be improved/implemented.
>>
>> Dbound is poking and prodding at related issues. And they are
>> finalizing their charter now. You might consider reading some of the
>> recent posts and commenting.
>>
>> https://www.ietf.org/mailman/listinfo/dbound.
>>
>> Jeff
>>
>> On Mon, Jan 12, 2015 at 2:18 PM, Chris Hartmann <cxhartmann@gmail.com>;
>> wrote:
>>>
>>> 1) Bob trusts and does personal business with a.com.
>>>
>>> 2) a.com forms a business relationship with b.com to perform a
>>> business function on its behalf (payment processor, blog, whatever).
>>> The landing page is b.com/a
>>>
>>> 3) Bob visits b.com/a and notices that the page claims to be
>>> affiliated and owned by a.com
>>>
>>> 4) How can Bob, in absolute terms, trust that b.com/a is affiliated
>>> and a delegated service by a.com? (say, prior to submitting sensitive
>>> information)
>>>
>>> Is this a security problem? I think so.
>>>
>>> We’ve all had to make this decision one time or another on weak
>>> inferences and correlations. I’d imagine Phishers don’t mind at all
>>> that there is an inability for the common internet user (looking at
>>> you grandma) to make the judgement call on web service affiliations.
>>> They’ve been conditioned with the best practice of looking at the
>>> address bar (and perhaps the DNS namespace) along with the lock icon
>>> to indicate trustworthiness, which may actually help the attacker in
>>> their act of misdirection. Inter-domain relationships model business
>>> relationships and trust. If web users could be armed with a new
>>> “sense” which proves these legitimate relationships (say
>>> cryptographically) then perhaps they would have more reason to be
>>> skeptical of those who cannot prove their affiliation. I’m not saying
>>> we can take human judgement completely out of the equation, but why
>>> not have a tool to help anchor this commonly needed and risky
>>> correlation.
>>>
>>> Eg:
>>>
>>> 5) https://c.com/a is a bad guy and claims the same thing as b.com/a .
>>> Now who to trust becomes a research project. (But c.com has the https
>>> lock icon, doesn’t that count for anything: NO)
>>>
>>>
>>> Use case a) Tim submits a payment to a redcross.org Paypal donation
>>> page he found via his favorite search engine. It was a scam. (We can
>>> argue a violation of "best practices" here, but that is besides the
>>> point)
>>>
>>>
>>> I suppose phishing isn’t the only example. It could apply to any case
>>> where you want to logically group the identity of one entity across
>>> many domain boundaries owned by different parties. (eg. A popular band
>>> has many web points of presence for fans, etc). This same mechanism
>>> could “certify” that these web assets are under one umbrella, although
>>> they don’t exist under one domain hierarchy.
>>>
>>> Should we solve this? Is it solved already? Could use help gelling or
>>> junking this idea.
>>>
>>> I have a few ideas on how this could be improved/implemented.
>>>
>>> Cheers,
>>>
>> _______________________________________________
>> websec mailing list
>> websec@ietf.org
>> https://www.ietf.org/mailman/listinfo/websec
>
>