Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
Chris Hartmann <cxhartmann@gmail.com> Tue, 20 January 2015 01:22 UTC
Return-Path: <cxhartmann@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 020DD1A8AB7 for <websec@ietfa.amsl.com>; Mon, 19 Jan 2015 17:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.7
X-Spam-Level: *
X-Spam-Status: No, score=1.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_BACKHAIR_33=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYre7G9r_zfR for <websec@ietfa.amsl.com>; Mon, 19 Jan 2015 17:22:51 -0800 (PST)
Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5752A1A8A05 for <websec@ietf.org>; Mon, 19 Jan 2015 17:22:51 -0800 (PST)
Received: by mail-ob0-f172.google.com with SMTP id wp18so10602253obc.3 for <websec@ietf.org>; Mon, 19 Jan 2015 17:22:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=FgjVkrmJa0XXEvwOeXFqWr2/fV3HHngCox1gixifJag=; b=00ZPetqHm6z93rgAh5ud79sbJoBbO2DWfNBhnhDsw+5wy7PABU/v0VY4rBN3rNNNRc VtYeGKuXCGfnlXuLg2uWPtX/ahL0Fch8zBKnLmvUqVTdGGXz258v57cWgB1HIlfM7l/3 WAiTTKsGWGenoiYK/Hx1yt2FHV8LRQ9+t/gKVcdd6VJ1QQLUiOOTtzk4bDiEqSMdXNpz DUS97xJyt8CAPv+k5+PuXjdbi65PfSgmi/MigflqbagYKZft6ilf6PkaHzV3W7d2wfPF ZDLAwgMrUXM1K/fa5BTW4QZznOq8wXrkueRtVFOgW3VfBmM4WIPwuHwKv9rM+pwrCWtf a48Q==
MIME-Version: 1.0
X-Received: by 10.202.225.214 with SMTP id y205mr19237879oig.60.1421716970548; Mon, 19 Jan 2015 17:22:50 -0800 (PST)
Received: by 10.202.45.78 with HTTP; Mon, 19 Jan 2015 17:22:50 -0800 (PST)
In-Reply-To: <54B65E34.2050909@gondrom.org>
References: <CAL1pEULxwcStS6EDfYtpV+neU2izz2gLsJi2Ak7OVxB9x8MzhA@mail.gmail.com> <CAH8yC8=scFxjnxKLvzfaJ8qwp5-stXhX-6M7GagssjP7AzrGbw@mail.gmail.com> <54B65E34.2050909@gondrom.org>
Date: Mon, 19 Jan 2015 17:22:50 -0800
Message-ID: <CAL1pEU+_mD_-nXWq-pJA22jPgnTPOoCTdTi5rzUQQG1r-V1ncQ@mail.gmail.com>
From: Chris Hartmann <cxhartmann@gmail.com>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/7dsx9xvd8G6R1xymxsAavQ8lguE>
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jan 2015 01:22:53 -0000
Thanks Jeff, Tobias. Yes, dbound does seem to resonate pretty well with where I was going here. Ironic and fortunate to catch it now while it's still crystalizing. Although I believe there is room to contemplate extending the concept beyond pure DNS namespace relationships (I'd like to see URI<->URI), some of the core problems/principals seem to be the same, great. Chris On Wed, Jan 14, 2015 at 4:16 AM, Tobias Gondrom <tobias.gondrom@gondrom.org> wrote: > Hi Chris, hi all, > > let me say, I can see a missing link here which would be nice to solve. > > Btw. another example coming to mind would be the connection with external > payment services or increasing number of references to cloud based services > (where it is not sure that a.com is indeed using b.com). > E.g. e-commerce sites linking to paypal or Mastercard / Visa vericode (or > whatever they call it) directly out of the e-commerce site... > > Some improvement in the trust chain could indeed be valuable here. > > Having said that, if another WG is already working in this area - Jeff > mentioned dbound - then my recommendation would be to take the work there. > WEBSEC is about to be closed, we are only waiting for the final release of > our last document. > > Best regards, Tobias > > > > > > On 14/01/15 00:44, Jeffrey Walton wrote: >>> >>> Is this a security problem? I think so. >> >> Yes. Knowing the relationship would be helpful in a security context. >> >>> I have a few ideas on how this could be improved/implemented. >> >> Dbound is poking and prodding at related issues. And they are >> finalizing their charter now. You might consider reading some of the >> recent posts and commenting. >> >> https://www.ietf.org/mailman/listinfo/dbound. >> >> Jeff >> >> On Mon, Jan 12, 2015 at 2:18 PM, Chris Hartmann <cxhartmann@gmail.com> >> wrote: >>> >>> 1) Bob trusts and does personal business with a.com. >>> >>> 2) a.com forms a business relationship with b.com to perform a >>> business function on its behalf (payment processor, blog, whatever). >>> The landing page is b.com/a >>> >>> 3) Bob visits b.com/a and notices that the page claims to be >>> affiliated and owned by a.com >>> >>> 4) How can Bob, in absolute terms, trust that b.com/a is affiliated >>> and a delegated service by a.com? (say, prior to submitting sensitive >>> information) >>> >>> Is this a security problem? I think so. >>> >>> We’ve all had to make this decision one time or another on weak >>> inferences and correlations. I’d imagine Phishers don’t mind at all >>> that there is an inability for the common internet user (looking at >>> you grandma) to make the judgement call on web service affiliations. >>> They’ve been conditioned with the best practice of looking at the >>> address bar (and perhaps the DNS namespace) along with the lock icon >>> to indicate trustworthiness, which may actually help the attacker in >>> their act of misdirection. Inter-domain relationships model business >>> relationships and trust. If web users could be armed with a new >>> “sense” which proves these legitimate relationships (say >>> cryptographically) then perhaps they would have more reason to be >>> skeptical of those who cannot prove their affiliation. I’m not saying >>> we can take human judgement completely out of the equation, but why >>> not have a tool to help anchor this commonly needed and risky >>> correlation. >>> >>> Eg: >>> >>> 5) https://c.com/a is a bad guy and claims the same thing as b.com/a . >>> Now who to trust becomes a research project. (But c.com has the https >>> lock icon, doesn’t that count for anything: NO) >>> >>> >>> Use case a) Tim submits a payment to a redcross.org Paypal donation >>> page he found via his favorite search engine. It was a scam. (We can >>> argue a violation of "best practices" here, but that is besides the >>> point) >>> >>> >>> I suppose phishing isn’t the only example. It could apply to any case >>> where you want to logically group the identity of one entity across >>> many domain boundaries owned by different parties. (eg. A popular band >>> has many web points of presence for fans, etc). This same mechanism >>> could “certify” that these web assets are under one umbrella, although >>> they don’t exist under one domain hierarchy. >>> >>> Should we solve this? Is it solved already? Could use help gelling or >>> junking this idea. >>> >>> I have a few ideas on how this could be improved/implemented. >>> >>> Cheers, >>> >> _______________________________________________ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec > >
- [websec] Authentic inter-domain relationships. Is… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Anne van Kesteren
- Re: [websec] Authentic inter-domain relationships… Gervase Markham
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Jeffrey Walton
- Re: [websec] Authentic inter-domain relationships… Anne van Kesteren
- Re: [websec] Authentic inter-domain relationships… Tobias Gondrom
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Igor Bukanov
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Tobias Gondrom