Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
Chris Hartmann <cxhartmann@gmail.com> Tue, 13 January 2015 21:32 UTC
Return-Path: <cxhartmann@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED3FD1B29A2 for <websec@ietfa.amsl.com>; Tue, 13 Jan 2015 13:32:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2K3FNNn_pyvx for <websec@ietfa.amsl.com>; Tue, 13 Jan 2015 13:32:07 -0800 (PST)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87AE11AD49D for <websec@ietf.org>; Tue, 13 Jan 2015 13:32:07 -0800 (PST)
Received: by mail-ob0-f179.google.com with SMTP id nt9so4848346obb.10 for <websec@ietf.org>; Tue, 13 Jan 2015 13:32:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HyWUnTt7tHAY3F/1xjxhOlYoNT4LXKgnebEflkCyl/A=; b=EvS8zSA0VDyUDbDrGq3c6O3Z0ar1q1amlWPMpNp2/H3WcHAYNIdyFSyQLF39HciJdW V0wrHyn2gv4hmjStcxl+cbTFPFMEjPnkmtwY7pIExUdKL+JBFD0L3b1JZMrqUO0zQC4+ GSPGemkorUajZuCZ3gkyEkEfSVOwWt+e+zSxVrvAi4VAowSWFUsQkn2LWUy1nfkoG3PG AAPnJpAUPCHwIQ9XsSaKkTx2pb14G3Ypt6NXuswUrHWra2mtmZyGH9b7uTYSQKL8CNNM exdFus0dEeSFYUOEXP3q7z/wq2OY8TqZUYx5l1YQZ5yROSaA7aisHhc4zAgnZXOLFF5F wtaQ==
MIME-Version: 1.0
X-Received: by 10.182.125.72 with SMTP id mo8mr300066obb.61.1421184726771; Tue, 13 Jan 2015 13:32:06 -0800 (PST)
Received: by 10.202.45.78 with HTTP; Tue, 13 Jan 2015 13:32:06 -0800 (PST)
In-Reply-To: <54B4F62C.4040901@mozilla.org>
References: <CAL1pEULxwcStS6EDfYtpV+neU2izz2gLsJi2Ak7OVxB9x8MzhA@mail.gmail.com> <54B4F62C.4040901@mozilla.org>
Date: Tue, 13 Jan 2015 13:32:06 -0800
Message-ID: <CAL1pEULD5DjMfrBVEiwb0G=p3xBW3pfQdTEj4RrweBJpnP0+3A@mail.gmail.com>
From: Chris Hartmann <cxhartmann@gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/aiybhTjFdHnS9heM3Kogib-MkKM>
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2015 21:32:10 -0000
On Tue, Jan 13, 2015 at 2:40 AM, Gervase Markham <gerv@mozilla.org> wrote: > On 12/01/15 19:18, Chris Hartmann wrote: >> 2) a.com forms a business relationship with b.com to perform a >> business function on its behalf (payment processor, blog, whatever). >> The landing page is b.com/a > > Would it not be reasonable to say that, when this sort of relationship > is set up, best practice is to do DNS delegation so that the landing > page is on b.a.com or some other subdomain of a.com? > Absolutely. However my impression is that isn't the common practice for two parties to integrate at this level consistently. For example a google search can show the organizations that presumably have web presence that is theirs, but how do I _know_ in an undeniable manner that they are a subsidy of their parent domain. https://www.google.com/webhp?#q=imagine+dragons+-site:imaginedragonsmusic.com https://www.google.com/search?q=cnn%20-site%3Acnn.com Yeah we all make conscious cross references here, which can give us a pretty good sense of correlation, and usually guessing wrong isn't catastrophic. Sometimes the third-parties do make efforts to assure users that the landing pages are "verified" as authentic, but that is pretty weak. My argument is that this doesn't have to be hearsay or a manual correlation effort, the user-agent be able to tell us the truth. This might seem trivial and unnecessary which is a valid argument in some cases, but my belief is that this is one of the core properties that makes phishing attempts more murky to end users for the corner cases that matter. This is what I would hope to fix. >> 3) Bob visits b.com/a and notices that the page claims to be >> affiliated and owned by a.com > > ...because then, both the DNS info and the claim would match. > >> 4) How can Bob, in absolute terms, trust that b.com/a is affiliated >> and a delegated service by a.com? (say, prior to submitting sensitive >> information) > > Because the domain used is a subdomain of a.com. > > Gerv
- [websec] Authentic inter-domain relationships. Is… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Anne van Kesteren
- Re: [websec] Authentic inter-domain relationships… Gervase Markham
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Jeffrey Walton
- Re: [websec] Authentic inter-domain relationships… Anne van Kesteren
- Re: [websec] Authentic inter-domain relationships… Tobias Gondrom
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Igor Bukanov
- Re: [websec] Authentic inter-domain relationships… Chris Hartmann
- Re: [websec] Authentic inter-domain relationships… Tobias Gondrom