[websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
Chris Hartmann <cxhartmann@gmail.com> Mon, 12 January 2015 19:19 UTC
Return-Path: <cxhartmann@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 993531ACD43 for <websec@ietfa.amsl.com>; Mon, 12 Jan 2015 11:19:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VrQrjzTKbdgN for <websec@ietfa.amsl.com>; Mon, 12 Jan 2015 11:18:59 -0800 (PST)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 564E31ACD40 for <websec@ietf.org>; Mon, 12 Jan 2015 11:18:59 -0800 (PST)
Received: by mail-oi0-f46.google.com with SMTP id a3so21977724oib.5 for <websec@ietf.org>; Mon, 12 Jan 2015 11:18:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=f17+sUEvUMYPvQlQPzhL3N6gtW459Yh2THt/KsLK4Ig=; b=S0xXAdc2S5BOEg0JZMNARmsToj/fOs3+I3/qfmooYe90qb5/2q04VEKBBAHejEG7pU zLyG1lx/kxM50Vz8iSEmkdADTAutXhbpOZ5eLDoooG1t+69Qlpzu0wDgXxwgFnIG6yKA Qc8uCzi0O0C0BW6Pu0XVrkCMTtEhKTS8CS3kA5mLSKqyZ4r2AidaePqy2t4rhhj4wCEE pFfmk2+e2BoAVD0pT2cXMD/eiyfgDfI7ndbjQ30/PCUMVdtmFM7NMG1zkwSiSiWTPGz9 movdtABdlLma9gEty2tZ1VPifkxyeI7nX97z6cK4ZAqa0iZ7rzkLXo0N4Px3cSh4ErHD S35w==
MIME-Version: 1.0
X-Received: by 10.182.103.232 with SMTP id fz8mr18582565obb.59.1421090338620; Mon, 12 Jan 2015 11:18:58 -0800 (PST)
Received: by 10.202.45.78 with HTTP; Mon, 12 Jan 2015 11:18:58 -0800 (PST)
Date: Mon, 12 Jan 2015 11:18:58 -0800
Message-ID: <CAL1pEULxwcStS6EDfYtpV+neU2izz2gLsJi2Ak7OVxB9x8MzhA@mail.gmail.com>
From: Chris Hartmann <cxhartmann@gmail.com>
To: websec@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/LFj1Oc0WmPBJnYw-QTUw-lqifs0>
Subject: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jan 2015 19:19:01 -0000
1) Bob trusts and does personal business with a.com. 2) a.com forms a business relationship with b.com to perform a business function on its behalf (payment processor, blog, whatever). The landing page is b.com/a 3) Bob visits b.com/a and notices that the page claims to be affiliated and owned by a.com 4) How can Bob, in absolute terms, trust that b.com/a is affiliated and a delegated service by a.com? (say, prior to submitting sensitive information) Is this a security problem? I think so. We’ve all had to make this decision one time or another on weak inferences and correlations. I’d imagine Phishers don’t mind at all that there is an inability for the common internet user (looking at you grandma) to make the judgement call on web service affiliations. They’ve been conditioned with the best practice of looking at the address bar (and perhaps the DNS namespace) along with the lock icon to indicate trustworthiness, which may actually help the attacker in their act of misdirection. Inter-domain relationships model business relationships and trust. If web users could be armed with a new “sense” which proves these legitimate relationships (say cryptographically) then perhaps they would have more reason to be skeptical of those who cannot prove their affiliation. I’m not saying we can take human judgement completely out of the equation, but why not have a tool to help anchor this commonly needed and risky correlation. Eg: 5) https://c.com/a is a bad guy and claims the same thing as b.com/a . Now who to trust becomes a research project. (But c.com has the https lock icon, doesn’t that count for anything: NO) Use case a) Tim submits a payment to a redcross.org Paypal donation page he found via his favorite search engine. It was a scam. (We can argue a violation of "best practices" here, but that is besides the point) I suppose phishing isn’t the only example. It could apply to any case where you want to logically group the identity of one entity across many domain boundaries owned by different parties. (eg. A popular band has many web points of presence for fans, etc). This same mechanism could “certify” that these web assets are under one umbrella, although they don’t exist under one domain hierarchy. Should we solve this? Is it solved already? Could use help gelling or junking this idea. I have a few ideas on how this could be improved/implemented. Cheers, Chris P.S. First post here, been lurking for a while now.
- [websec] Authentic inter-domain relationships. Is… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Anne van Kesteren
- Re: [websec] Authentic inter-domain relationships… Gervase Markham
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Jeffrey Walton
- Re: [websec] Authentic inter-domain relationships… Anne van Kesteren
- Re: [websec] Authentic inter-domain relationships… Tobias Gondrom
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Igor Bukanov
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Tobias Gondrom