Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 14 January 2015 12:17 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 338601ACE44 for <websec@ietfa.amsl.com>; Wed, 14 Jan 2015 04:17:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.665
X-Spam-Level:
X-Spam-Status: No, score=-96.665 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=1.951, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QW2gWNp2YSv0 for <websec@ietfa.amsl.com>; Wed, 14 Jan 2015 04:16:58 -0800 (PST)
Received: from lvps5-35-241-16.dedicated.hosteurope.de (www.gondrom.org [5.35.241.16]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 818881B2C65 for <websec@ietf.org>; Wed, 14 Jan 2015 04:16:58 -0800 (PST)
Received: from [192.168.43.211] (unknown [85.255.233.129]) by lvps5-35-241-16.dedicated.hosteurope.de (Postfix) with ESMTPSA id 244156310A; Wed, 14 Jan 2015 13:16:55 +0100 (CET)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=KNLT6DhOIR3Rerl2cVsE1BlMvDRvIk60JltCSdzcT4Qp2Z6J5gb+9w7DCsDNEH+0w6vyqB3aUc2aThYAbVrmxnJaqro30rdGOarNITbROoVAEV8f/scLqHujMBPeiwAd/VJpbqbWbaBLdEBQD0adrxPtqs9IpWtdnm6prTmYyI8=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Message-ID: <54B65E34.2050909@gondrom.org>
Date: Wed, 14 Jan 2015 12:16:52 +0000
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: noloader@gmail.com, cxhartmann@gmail.com
References: <CAL1pEULxwcStS6EDfYtpV+neU2izz2gLsJi2Ak7OVxB9x8MzhA@mail.gmail.com> <CAH8yC8=scFxjnxKLvzfaJ8qwp5-stXhX-6M7GagssjP7AzrGbw@mail.gmail.com>
In-Reply-To: <CAH8yC8=scFxjnxKLvzfaJ8qwp5-stXhX-6M7GagssjP7AzrGbw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/874WDLRFmM_g3ADiurnkHqeUvQM>
Cc: websec@ietf.org
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2015 12:17:01 -0000

Hi Chris, hi all,

let me say, I can see a missing link here which would be nice to solve.

Btw. another example coming to mind would be the connection with 
external payment services or increasing number of references to cloud 
based services (where it is not sure that a.com is indeed using b.com).
E.g. e-commerce sites linking to paypal or Mastercard / Visa vericode 
(or whatever they call it) directly out of the e-commerce site...

Some improvement in the trust chain could indeed be valuable here.

Having said that, if another WG is already working in this area - Jeff 
mentioned dbound - then my recommendation would be to take the work 
there. WEBSEC is about to be closed, we are only waiting for the final 
release of our last document.

Best regards, Tobias




On 14/01/15 00:44, Jeffrey Walton wrote:
>> Is this a security problem? I think so.
> Yes. Knowing the relationship would be helpful in a security context.
>
>> I have a few ideas on how this could be improved/implemented.
> Dbound is poking and prodding at related issues. And they are
> finalizing their charter now. You might consider reading some of the
> recent posts and commenting.
>
> https://www.ietf.org/mailman/listinfo/dbound.
>
> Jeff
>
> On Mon, Jan 12, 2015 at 2:18 PM, Chris Hartmann <cxhartmann@gmail.com>; wrote:
>> 1) Bob trusts and does personal business with a.com.
>>
>> 2) a.com forms a business relationship with b.com to perform a
>> business function on its behalf (payment processor, blog, whatever).
>> The landing page is b.com/a
>>
>> 3) Bob visits b.com/a and notices that the page claims to be
>> affiliated and owned by a.com
>>
>> 4) How can Bob, in absolute terms, trust that b.com/a is affiliated
>> and a delegated service by a.com? (say, prior to submitting sensitive
>> information)
>>
>> Is this a security problem? I think so.
>>
>> We’ve all had to make this decision one time or another on weak
>> inferences and correlations. I’d imagine Phishers don’t mind at all
>> that there is an inability for the common internet user (looking at
>> you grandma) to make the judgement call on web service affiliations.
>> They’ve been conditioned with the best practice of looking at the
>> address bar (and perhaps the DNS namespace) along with the lock icon
>> to indicate trustworthiness, which may actually help the attacker in
>> their act of misdirection. Inter-domain relationships model business
>> relationships and trust. If web users could be armed with a new
>> “sense” which proves these legitimate relationships (say
>> cryptographically) then perhaps they would have more reason to be
>> skeptical of those who cannot prove their affiliation. I’m not saying
>> we can take human judgement completely out of the equation, but why
>> not have a tool to help anchor this commonly needed and risky
>> correlation.
>>
>> Eg:
>>
>> 5) https://c.com/a is a bad guy and claims the same thing as b.com/a .
>> Now who to trust becomes a research project. (But c.com has the https
>> lock icon, doesn’t that count for anything: NO)
>>
>>
>> Use case a) Tim submits a payment to a redcross.org Paypal donation
>> page he found via his favorite search engine. It was a scam. (We can
>> argue a violation of "best practices" here, but that is besides the
>> point)
>>
>>
>> I suppose phishing isn’t the only example. It could apply to any case
>> where you want to logically group the identity of one entity across
>> many domain boundaries owned by different parties. (eg. A popular band
>> has many web points of presence for fans, etc). This same mechanism
>> could “certify” that these web assets are under one umbrella, although
>> they don’t exist under one domain hierarchy.
>>
>> Should we solve this? Is it solved already? Could use help gelling or
>> junking this idea.
>>
>> I have a few ideas on how this could be improved/implemented.
>>
>> Cheers,
>>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec