Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

Chris Hartmann <> Tue, 13 January 2015 20:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9717F1ACDBE for <>; Tue, 13 Jan 2015 12:31:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I4o7L5LfgSPt for <>; Tue, 13 Jan 2015 12:30:59 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c01::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0CB451ACD87 for <>; Tue, 13 Jan 2015 12:30:59 -0800 (PST)
Received: by with SMTP id vb8so4597799obc.0 for <>; Tue, 13 Jan 2015 12:30:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=z2gEZ4H8trRmClX6STRzlGaMClxcLU4I/hXXgJ/KUtg=; b=z10GYA/4B/W/SvTUSOtO6WiKfuHJE3KD8Jg35VoW2GJOJzcLTzucZc4jVCfkRjg3eN n4wCr02qglZhe1BAu2DgOKmVqWuzwL/Idj5Iq0sZfU2JetRq9nCsZV5UQyDcIak50RK1 LksGz12w/inkfRd4/QKzOEnTXHnA28YGxXuIsWoHRqTJ0SJE4/8jtdqV7aJmwIEUSWi0 XFZ6ysX/neS1M7V4mz1LD8pXVLb2tiKhB6CUnVyZHeEr+RrNCDfJWNylu7aGgDXSYMhz iygBrTKd+XwU/JHh1CqdNaJ/Xrkrj77QCqpiIrGrtNggXght2h3+IZYh7jESp+bSzDT3 IFvw==
MIME-Version: 1.0
X-Received: by with SMTP id mq2mr206619oeb.50.1421181058254; Tue, 13 Jan 2015 12:30:58 -0800 (PST)
Received: by with HTTP; Tue, 13 Jan 2015 12:30:58 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Tue, 13 Jan 2015 12:30:58 -0800
Message-ID: <>
From: Chris Hartmann <>
To: Anne van Kesteren <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: websec <>
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Jan 2015 20:31:01 -0000

Hi Anne/All,
Thanks for the response.

I think your use-case is slightly different then what I was going for,
but perhaps I can extend my idea to cover a different aspect of yours.
Just for clarity, if I understand correctly, the relationship between
services like and isn't what I'm addressing
(sounds more OAuth'ish etc). Rather the relationship between you, your
employer, and might be more in line with where I'm going, but
still isn't really the primary case. Let me explain, in your case, you
or your company IT department made a judgement call to trust
with managing a business asset, business related accounts used for
business purposes hosted by a third-party. Presumably your credentials
to are a risk to the company if compromised. If a phisher
sent you an email claiming to be with a link to a fake but
believable hostname, say (see what I did there), you happen
to click the link and are on the verge of providing your credentials,
you are now in a situation where your perception of the hostname is
the only indication to spark your skepticism and avoid compromise.
Exactly the edge phishers hope for.

My vague idea is that the user agent should have the capability to
notify you, the end-user, that there is no relationship between and (the bad guy), perhaps in a similar
manner that browsers today indicate a lack of integrity with regards
to https verification failures.

Instead of the user-agent labeling the bad guy as bad, it would be the
opposite. When formed the business relationship with it could perhaps share a bit of digitally signed data, say
digitally sign the url to the login page (
and embed that in response. Then the user-agent would be able to
notify you each time you log in that authorized in an obvious enough manner for you to notice
it missing when you clicked the phishing link. In a sense my hope is
to label the good relationships as truthfully good, the user-agent
constantly labels it as such, and then the hope is that typical end
users can then be skeptical when the "this is the good guy" label is
missing, enhancing human perception of good vs. evil.

All of this is very specific, but in general, at the core, I think as
orgs continue the trend of "outsourcing IT" there needs to be a way on
the web to describe and authenticate the relationships in a manner
that end-users and user-agents can digest.

Making a lot of assumptions and going out on a limb here, but a fun
little thought experiment, and look forward to continuing the


On Tue, Jan 13, 2015 at 1:09 AM, Anne van Kesteren <>; wrote:
> On Mon, Jan 12, 2015 at 8:18 PM, Chris Hartmann <>; wrote:
>> Should we solve this? Is it solved already? Could use help gelling or
>> junking this idea.
>> I have a few ideas on how this could be improved/implemented.
> I'd be interested to hear them. E.g. at work we started using
> to login to a bunch of a services, including
> e.g. Google services. It felt extremely phishy to give credentials to
> to make use of a service.
> --