[websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

Chris Hartmann <cxhartmann@gmail.com> Mon, 12 January 2015 19:19 UTC

Return-Path: <cxhartmann@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 993531ACD43 for <websec@ietfa.amsl.com>; Mon, 12 Jan 2015 11:19:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VrQrjzTKbdgN for <websec@ietfa.amsl.com>; Mon, 12 Jan 2015 11:18:59 -0800 (PST)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 564E31ACD40 for <websec@ietf.org>; Mon, 12 Jan 2015 11:18:59 -0800 (PST)
Received: by mail-oi0-f46.google.com with SMTP id a3so21977724oib.5 for <websec@ietf.org>; Mon, 12 Jan 2015 11:18:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=f17+sUEvUMYPvQlQPzhL3N6gtW459Yh2THt/KsLK4Ig=; b=S0xXAdc2S5BOEg0JZMNARmsToj/fOs3+I3/qfmooYe90qb5/2q04VEKBBAHejEG7pU zLyG1lx/kxM50Vz8iSEmkdADTAutXhbpOZ5eLDoooG1t+69Qlpzu0wDgXxwgFnIG6yKA Qc8uCzi0O0C0BW6Pu0XVrkCMTtEhKTS8CS3kA5mLSKqyZ4r2AidaePqy2t4rhhj4wCEE pFfmk2+e2BoAVD0pT2cXMD/eiyfgDfI7ndbjQ30/PCUMVdtmFM7NMG1zkwSiSiWTPGz9 movdtABdlLma9gEty2tZ1VPifkxyeI7nX97z6cK4ZAqa0iZ7rzkLXo0N4Px3cSh4ErHD S35w==
MIME-Version: 1.0
X-Received: by 10.182.103.232 with SMTP id fz8mr18582565obb.59.1421090338620; Mon, 12 Jan 2015 11:18:58 -0800 (PST)
Received: by 10.202.45.78 with HTTP; Mon, 12 Jan 2015 11:18:58 -0800 (PST)
Date: Mon, 12 Jan 2015 11:18:58 -0800
Message-ID: <CAL1pEULxwcStS6EDfYtpV+neU2izz2gLsJi2Ak7OVxB9x8MzhA@mail.gmail.com>
From: Chris Hartmann <cxhartmann@gmail.com>
To: websec@ietf.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/LFj1Oc0WmPBJnYw-QTUw-lqifs0>
Subject: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jan 2015 19:19:01 -0000

1) Bob trusts and does personal business with a.com.

2) a.com forms a business relationship with b.com to perform a
business function on its behalf (payment processor, blog, whatever).
The landing page is b.com/a

3) Bob visits b.com/a and notices that the page claims to be
affiliated and owned by a.com

4) How can Bob, in absolute terms, trust that b.com/a is affiliated
and a delegated service by a.com? (say, prior to submitting sensitive
information)

Is this a security problem? I think so.

We’ve all had to make this decision one time or another on weak
inferences and correlations. I’d imagine Phishers don’t mind at all
that there is an inability for the common internet user (looking at
you grandma) to make the judgement call on web service affiliations.
They’ve been conditioned with the best practice of looking at the
address bar (and perhaps the DNS namespace) along with the lock icon
to indicate trustworthiness, which may actually help the attacker in
their act of misdirection. Inter-domain relationships model business
relationships and trust. If web users could be armed with a new
“sense” which proves these legitimate relationships (say
cryptographically) then perhaps they would have more reason to be
skeptical of those who cannot prove their affiliation. I’m not saying
we can take human judgement completely out of the equation, but why
not have a tool to help anchor this commonly needed and risky
correlation.

Eg:

5) https://c.com/a is a bad guy and claims the same thing as b.com/a .
Now who to trust becomes a research project. (But c.com has the https
lock icon, doesn’t that count for anything: NO)


Use case a) Tim submits a payment to a redcross.org Paypal donation
page he found via his favorite search engine. It was a scam. (We can
argue a violation of "best practices" here, but that is besides the
point)


I suppose phishing isn’t the only example. It could apply to any case
where you want to logically group the identity of one entity across
many domain boundaries owned by different parties. (eg. A popular band
has many web points of presence for fans, etc). This same mechanism
could “certify” that these web assets are under one umbrella, although
they don’t exist under one domain hierarchy.

Should we solve this? Is it solved already? Could use help gelling or
junking this idea.

I have a few ideas on how this could be improved/implemented.

Cheers,

Chris


P.S. First post here, been lurking for a while now.