Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

Igor Bukanov <igor@mir2.org> Thu, 15 January 2015 14:26 UTC

Return-Path: <igor@mir2.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E78181B2BFF for <websec@ietfa.amsl.com>; Thu, 15 Jan 2015 06:26:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.721
X-Spam-Level:
X-Spam-Status: No, score=0.721 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OUfw7WHGKdo8 for <websec@ietfa.amsl.com>; Thu, 15 Jan 2015 06:26:57 -0800 (PST)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00D051B2BFE for <websec@ietf.org>; Thu, 15 Jan 2015 06:26:56 -0800 (PST)
Received: by mail-wi0-f177.google.com with SMTP id l15so18177509wiw.4 for <websec@ietf.org>; Thu, 15 Jan 2015 06:26:55 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=xX3rB7IiVmmQWNtI0nz/G3MIDn+PQDfcQTO8VsFrUCc=; b=FwH4Rku5CUMkvKZQ8XBVDiyCV0PCNv+7DHICzSupss1iJ/vw0Hhfswfqu8ZrvQud1K qGOtqn877MbKJS4cVW6LFlQDmqclyk9d2iTGxwJNahfBIfMVAk+87V1kRiAA0bREcYoI tNN2f439N+VXSgFPm9ePvDwilquok3Y2DAcNuUuXGvGpNZoMikxzLqEBvMwoIJ7f/HYd BnsTsb4pbrEqG1rrLDG72E35xBpiVbDHFToae1E73ZOMUbYbWd4dh2pYnSKiWf5JWXLn Z2Q7M6e6LREDEbPVm7fIa2iUrlATUOWJIGlSaeoQyMPhf7VZTRmDZKgb5kWMViU969Z9 ygkg==
X-Gm-Message-State: ALoCoQk/RLUWs2ZE2awImAzSWmbYzU4AWYxTzOl3LK2TSknjWMJh92cwtC8voRnASsf2yiv1+haX
MIME-Version: 1.0
X-Received: by 10.194.236.200 with SMTP id uw8mr19131527wjc.10.1421332014596; Thu, 15 Jan 2015 06:26:54 -0800 (PST)
Received: by 10.180.11.205 with HTTP; Thu, 15 Jan 2015 06:26:54 -0800 (PST)
In-Reply-To: <CAL1pEULaTQ0NUe_zmEiEWfeY8dohdAMcC4MpZnLY32CX95PrJw@mail.gmail.com>
References: <CAL1pEULxwcStS6EDfYtpV+neU2izz2gLsJi2Ak7OVxB9x8MzhA@mail.gmail.com> <CADnb78hD=rTbu5RU1SYksDWYOjokM=f25R49XCCdO2xj+TVtyw@mail.gmail.com> <CAL1pEULaTQ0NUe_zmEiEWfeY8dohdAMcC4MpZnLY32CX95PrJw@mail.gmail.com>
Date: Thu, 15 Jan 2015 15:26:54 +0100
Message-ID: <CADd11yUYGwNAyptffmrT7bvMJoEkvzG5j-hDQ4Vp02n1xsug0w@mail.gmail.com>
From: Igor Bukanov <igor@mir2.org>
To: Chris Hartmann <cxhartmann@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/iQSxl7CoAhpwAI5e4gPXPwIuTX8>
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jan 2015 14:27:00 -0000

On 13 January 2015 at 21:30, Chris Hartmann <cxhartmann@gmail.com>; wrote:
> Presumably your credentials
> to okta.com are a risk to the company if compromised. If a phisher
> sent you an email claiming to be okta.com with a link to a fake but
> believable hostname, say otka.com (see what I did there), you happen
> to click the link and are on the verge of providing your credentials,
> you are now in a situation where your perception of the hostname is
> the only indication to spark your skepticism and avoid compromise.

SRP [1] and J-Pake [2] protocols solved that problem long time ago -
the idea is that one use a password not only to authenticate self to a
host but also to verify that the host does know your password without
reveling the password to the host. Unfortunately the browser support
is lacking, so one needs a browser extension to support that.

[1] - http://srp.stanford.edu/
[2] - http://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling