Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?

Gervase Markham <gerv@mozilla.org> Tue, 13 January 2015 10:40 UTC

Return-Path: <gerv@mozilla.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04C9B1A8A8E for <websec@ietfa.amsl.com>; Tue, 13 Jan 2015 02:40:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.278
X-Spam-Level:
X-Spam-Status: No, score=-3.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Daz2nGeVfiRd for <websec@ietfa.amsl.com>; Tue, 13 Jan 2015 02:40:47 -0800 (PST)
Received: from smtp.mozilla.org (mx1.corp.phx1.mozilla.com [63.245.216.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07A311A8836 for <websec@ietf.org>; Tue, 13 Jan 2015 02:40:46 -0800 (PST)
Received: from [192.168.0.103] (93.243.187.81.in-addr.arpa [81.187.243.93]) (Authenticated sender: gerv@mozilla.org) by mx1.mail.corp.phx1.mozilla.com (Postfix) with ESMTPSA id 86BF0F2952; Tue, 13 Jan 2015 02:40:45 -0800 (PST)
Message-ID: <54B4F62C.4040901@mozilla.org>
Date: Tue, 13 Jan 2015 10:40:44 +0000
From: Gervase Markham <gerv@mozilla.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:34.0) Gecko/20100101 Thunderbird/34.0
MIME-Version: 1.0
To: Chris Hartmann <cxhartmann@gmail.com>, websec@ietf.org
References: <CAL1pEULxwcStS6EDfYtpV+neU2izz2gLsJi2Ak7OVxB9x8MzhA@mail.gmail.com>
In-Reply-To: <CAL1pEULxwcStS6EDfYtpV+neU2izz2gLsJi2Ak7OVxB9x8MzhA@mail.gmail.com>
OpenPGP: id=9DF43DBB
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/uBnys1Jtb-w-xyesG5aBjGnCjC8>
Subject: Re: [websec] Authentic inter-domain relationships. Is this a security problem? Appropriate for websec?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2015 10:40:49 -0000

On 12/01/15 19:18, Chris Hartmann wrote:
> 2) a.com forms a business relationship with b.com to perform a
> business function on its behalf (payment processor, blog, whatever).
> The landing page is b.com/a

Would it not be reasonable to say that, when this sort of relationship
is set up, best practice is to do DNS delegation so that the landing
page is on b.a.com or some other subdomain of a.com?

> 3) Bob visits b.com/a and notices that the page claims to be
> affiliated and owned by a.com

...because then, both the DNS info and the claim would match.

> 4) How can Bob, in absolute terms, trust that b.com/a is affiliated
> and a delegated service by a.com? (say, prior to submitting sensitive
> information)

Because the domain used is a subdomain of a.com.

Gerv