Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

[Chris Hartmann <cxhartmann@gmail.com>]

Hi Anne/All,
Thanks for the response.

I think your use-case is slightly different then what I was going for,
but perhaps I can extend my idea to cover a different aspect of yours.
Just for clarity, if I understand correctly, the relationship between
services like okta.com and google.com isn't what I'm addressing
(sounds more OAuth'ish etc). Rather the relationship between you, your
employer, and okta.com might be more in line with where I'm going, but
still isn't really the primary case. Let me explain, in your case, you
or your company IT department made a judgement call to trust okta.com
with managing a business asset, business related accounts used for
business purposes hosted by a third-party. Presumably your credentials
to okta.com are a risk to the company if compromised. If a phisher
sent you an email claiming to be okta.com with a link to a fake but
believable hostname, say otka.com (see what I did there), you happen
to click the link and are on the verge of providing your credentials,
you are now in a situation where your perception of the hostname is
the only indication to spark your skepticism and avoid compromise.
Exactly the edge phishers hope for.

My vague idea is that the user agent should have the capability to
notify you, the end-user, that there is no relationship between
yourcompany.com and otka.com (the bad guy), perhaps in a similar
manner that browsers today indicate a lack of integrity with regards
to https verification failures.

Instead of the user-agent labeling the bad guy as bad, it would be the
opposite. When yourcompany.com formed the business relationship with
okta.com it could perhaps share a bit of digitally signed data, say
digitally sign the url to the login page (www.okta.com/yourcompany)
and embed that in response. Then the user-agent would be able to
notify you each time you log in that yourcompany.com authorized
www.okta.com/yourcompany in an obvious enough manner for you to notice
it missing when you clicked the phishing link. In a sense my hope is
to label the good relationships as truthfully good, the user-agent
constantly labels it as such, and then the hope is that typical end
users can then be skeptical when the "this is the good guy" label is
missing, enhancing human perception of good vs. evil.

All of this is very specific, but in general, at the core, I think as
orgs continue the trend of "outsourcing IT" there needs to be a way on
the web to describe and authenticate the relationships in a manner
that end-users and user-agents can digest.

Making a lot of assumptions and going out on a limb here, but a fun
little thought experiment, and look forward to continuing the
brainstorm.


Chris




On Tue, Jan 13, 2015 at 1:09 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Mon, Jan 12, 2015 at 8:18 PM, Chris Hartmann <cxhartmann@gmail.com> wrote:
>> Should we solve this? Is it solved already? Could use help gelling or
>> junking this idea.
>>
>> I have a few ideas on how this could be improved/implemented.
>
> I'd be interested to hear them. E.g. at work we started using
> https://www.okta.com/ to login to a bunch of a services, including
> e.g. Google services. It felt extremely phishy to give credentials to
> okta.com to make use of a google.com service.
>
>
> --
> https://annevankesteren.nl/