Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

Chris Hartmann <cxhartmann@gmail.com> Wed, 14 January 2015 21:34 UTC

Return-Path: <cxhartmann@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D181AC3EF for <websec@ietfa.amsl.com>; Wed, 14 Jan 2015 13:34:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kKgJ5GsprPOr for <websec@ietfa.amsl.com>; Wed, 14 Jan 2015 13:34:56 -0800 (PST)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC0431A90CC for <websec@ietf.org>; Wed, 14 Jan 2015 13:34:55 -0800 (PST)
Received: by mail-oi0-f54.google.com with SMTP id u20so9404588oif.13 for <websec@ietf.org>; Wed, 14 Jan 2015 13:34:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=XQcClvFxvd6jlqX7ytSjbR6KNxO6QQnk36+B5/wsJnE=; b=VMW0ORMF9YDsVfn/PjvbEn/hb6c2feDA9Uy6gROh38z2lc4ka3FDhpC/N/BkfwHaPs WhPUIlxmZqHUMCFKjdaVuKVBGyG/burb9kKgD36TMb2jWdmoKwpeCI1n8Yt8EtIDf1Cy Jl00kN9xScs7ZzdaRWe7QRwR1LTEd97cMpx+GNK0/J/xhuZLkFE940UoS6ongq7vrAIK 3sP58ProCjWoyDV7ENLeqkmBcXfh+iVG4cIeqldLnCmVf64rjbJMNfHpgPSryjftrg6n ssKmaf/dlPYkOPqkaNZJboDtSDc+4QcADWUE20uPPolGQ0sOkPiGx6/ax9657uTY4Ct3 Chhg==
MIME-Version: 1.0
X-Received: by 10.60.125.130 with SMTP id mq2mr3929165oeb.50.1421271295087; Wed, 14 Jan 2015 13:34:55 -0800 (PST)
Received: by 10.202.45.78 with HTTP; Wed, 14 Jan 2015 13:34:55 -0800 (PST)
In-Reply-To: <CADnb78h=YBz90ZRwrefp8NnKUDZG5wLFZ2Hx+-wZnMfMFcFZMg@mail.gmail.com>
References: <CAL1pEULxwcStS6EDfYtpV+neU2izz2gLsJi2Ak7OVxB9x8MzhA@mail.gmail.com> <CADnb78hD=rTbu5RU1SYksDWYOjokM=f25R49XCCdO2xj+TVtyw@mail.gmail.com> <CAL1pEULaTQ0NUe_zmEiEWfeY8dohdAMcC4MpZnLY32CX95PrJw@mail.gmail.com> <CADnb78h=YBz90ZRwrefp8NnKUDZG5wLFZ2Hx+-wZnMfMFcFZMg@mail.gmail.com>
Date: Wed, 14 Jan 2015 13:34:55 -0800
Message-ID: <CAL1pEU+d+8T7S0PJp0k0ddEEvXqaRVOZUHmcUiMxmSfkgbOg2w@mail.gmail.com>
From: Chris Hartmann <cxhartmann@gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/JgBUW8rS73eCSJuOEh5kSeYxJT0>
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2015 21:34:57 -0000

On Wed, Jan 14, 2015 at 1:15 AM, Anne van Kesteren <annevk@annevk.nl>; wrote:
> On Tue, Jan 13, 2015 at 9:30 PM, Chris Hartmann <cxhartmann@gmail.com>; wrote:
>> If a phisher
>> sent you an email claiming to be okta.com with a link to a fake but
>> believable hostname, say otka.com (see what I did there), you happen
>> to click the link and are on the verge of providing your credentials,
>
> Yeah, that's the concern.
>
>
>> When yourcompany.com formed the business relationship with
>> okta.com it could perhaps share a bit of digitally signed data, say
>> digitally sign the url to the login page (www.okta.com/yourcompany)
>> and embed that in response.
>
> Given that the current address bar UI already has limited utility,
> it's not clear to me what making it more complicated will actually
> help users.
>

Yeah, I also have the sense any proposed UA/UI change is going to be
highly scrutinized and be a point of resistance. But I have yet to
conclude how social engineering attacks can be comprehensively
addressed without at least partially arming end users with something
to help them make these important correlations. Trust by affiliation
is a real thing that we do in the real world, although these
affiliations are hard to verify, they work in general. In the digital
world fortunately we can have machines verify these affiliations with
an extremely high level of certainty, I'd argue people should be able
to perceive these to formulate trust.

>
> --
> https://annevankesteren.nl/