Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

Chris Hartmann <cxhartmann@gmail.com> Tue, 13 January 2015 21:32 UTC

Return-Path: <cxhartmann@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED3FD1B29A2 for <websec@ietfa.amsl.com>; Tue, 13 Jan 2015 13:32:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2K3FNNn_pyvx for <websec@ietfa.amsl.com>; Tue, 13 Jan 2015 13:32:07 -0800 (PST)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87AE11AD49D for <websec@ietf.org>; Tue, 13 Jan 2015 13:32:07 -0800 (PST)
Received: by mail-ob0-f179.google.com with SMTP id nt9so4848346obb.10 for <websec@ietf.org>; Tue, 13 Jan 2015 13:32:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HyWUnTt7tHAY3F/1xjxhOlYoNT4LXKgnebEflkCyl/A=; b=EvS8zSA0VDyUDbDrGq3c6O3Z0ar1q1amlWPMpNp2/H3WcHAYNIdyFSyQLF39HciJdW V0wrHyn2gv4hmjStcxl+cbTFPFMEjPnkmtwY7pIExUdKL+JBFD0L3b1JZMrqUO0zQC4+ GSPGemkorUajZuCZ3gkyEkEfSVOwWt+e+zSxVrvAi4VAowSWFUsQkn2LWUy1nfkoG3PG AAPnJpAUPCHwIQ9XsSaKkTx2pb14G3Ypt6NXuswUrHWra2mtmZyGH9b7uTYSQKL8CNNM exdFus0dEeSFYUOEXP3q7z/wq2OY8TqZUYx5l1YQZ5yROSaA7aisHhc4zAgnZXOLFF5F wtaQ==
MIME-Version: 1.0
X-Received: by 10.182.125.72 with SMTP id mo8mr300066obb.61.1421184726771; Tue, 13 Jan 2015 13:32:06 -0800 (PST)
Received: by 10.202.45.78 with HTTP; Tue, 13 Jan 2015 13:32:06 -0800 (PST)
In-Reply-To: <54B4F62C.4040901@mozilla.org>
References: <CAL1pEULxwcStS6EDfYtpV+neU2izz2gLsJi2Ak7OVxB9x8MzhA@mail.gmail.com> <54B4F62C.4040901@mozilla.org>
Date: Tue, 13 Jan 2015 13:32:06 -0800
Message-ID: <CAL1pEULD5DjMfrBVEiwb0G=p3xBW3pfQdTEj4RrweBJpnP0+3A@mail.gmail.com>
From: Chris Hartmann <cxhartmann@gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/aiybhTjFdHnS9heM3Kogib-MkKM>
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2015 21:32:10 -0000

On Tue, Jan 13, 2015 at 2:40 AM, Gervase Markham <gerv@mozilla.org>; wrote:
> On 12/01/15 19:18, Chris Hartmann wrote:
>> 2) a.com forms a business relationship with b.com to perform a
>> business function on its behalf (payment processor, blog, whatever).
>> The landing page is b.com/a
>
> Would it not be reasonable to say that, when this sort of relationship
> is set up, best practice is to do DNS delegation so that the landing
> page is on b.a.com or some other subdomain of a.com?
>

Absolutely. However my impression is that isn't the common practice
for two parties to integrate at this level consistently.

For example a google search can show the organizations that presumably
have web presence that is theirs, but how do I _know_ in an undeniable
manner that they are a subsidy of their parent domain.

https://www.google.com/webhp?#q=imagine+dragons+-site:imaginedragonsmusic.com

https://www.google.com/search?q=cnn%20-site%3Acnn.com

Yeah we all make conscious cross references here, which can give us a
pretty good sense of correlation, and usually guessing wrong isn't
catastrophic. Sometimes the third-parties do make efforts to assure
users that the landing pages are "verified" as authentic, but that is
pretty weak. My argument is that this doesn't have to be hearsay or a
manual correlation effort, the user-agent be able to tell us the
truth.

This might seem trivial and unnecessary which is a valid argument in
some cases, but my belief is that this is one of the core properties
that makes phishing attempts more murky to end users for the corner
cases that matter. This is what I would hope to fix.


>> 3) Bob visits b.com/a and notices that the page claims to be
>> affiliated and owned by a.com
>
> ...because then, both the DNS info and the claim would match.
>
>> 4) How can Bob, in absolute terms, trust that b.com/a is affiliated
>> and a delegated service by a.com? (say, prior to submitting sensitive
>> information)
>
> Because the domain used is a subdomain of a.com.
>
> Gerv