Re: [http-auth] Tunisian/Syrian phishing attacks
Yaron Sheffer <yaronf@gmx.com> Sun, 12 June 2011 06:50 UTC
Return-Path: <yaronf@gmx.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D98A01F0C45 for <http-auth@ietfa.amsl.com>; Sat, 11 Jun 2011 23:50:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.57
X-Spam-Level:
X-Spam-Status: No, score=-1.57 tagged_above=-999 required=5 tests=[AWL=-1.029, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, MIME_HTML_ONLY=1.457]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZJphqnckGAyo for <http-auth@ietfa.amsl.com>; Sat, 11 Jun 2011 23:50:23 -0700 (PDT)
Received: from mailout-eu.gmx.com (mailout-eu.gmx.com [213.165.64.42]) by ietfa.amsl.com (Postfix) with SMTP id A0A351F0C35 for <http-auth@ietf.org>; Sat, 11 Jun 2011 23:50:22 -0700 (PDT)
Received: (qmail invoked by alias); 12 Jun 2011 06:50:20 -0000
Received: from bzq-79-178-38-173.red.bezeqint.net (EHLO [10.0.0.2]) [79.178.38.173] by mail.gmx.com (mp-eu004) with SMTP; 12 Jun 2011 08:50:20 +0200
X-Authenticated: #63966379
X-Provags-ID: V01U2FsdGVkX1+DxYpde4aD7T2569ACvCqHCCMocZ/4hlNLFXN6dE rn5z03MxcRMSfR
Message-ID: <4DF461A9.8070803@gmx.com>
Date: Sun, 12 Jun 2011 09:50:17 +0300
From: Yaron Sheffer <yaronf@gmx.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110516 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <mailman.214.1307403028.3017.http-auth@ietf.org> <4DF384FD.10804@gmx.com> <BANLkTin3Me6DxH+nG8LX8wKTiA735tiwjQ@mail.gmail.com>
In-Reply-To: <BANLkTin3Me6DxH+nG8LX8wKTiA735tiwjQ@mail.gmail.com>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: http-auth@ietf.org
Subject: Re: [http-auth] Tunisian/Syrian phishing attacks
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jun 2011 06:50:24 -0000
thanks for your comments.
I agree several alternative authentication methods make sense, in addition to ZKPP. But for now, I'd rather concentrate on passwords since they make the most sense in the consumer context. If we do it right, we can migrate to PSK later on - if the user doesn't enter the password, they might as well use long binary strings. And maybe Kerberos as well.
But apparently I wasn't clear on the implementation, and that's a critical part. It looks like secure scripts are an impossibility right now (although people are trying: http://en.wikipedia.org/wiki/Caja_project" rel="nofollow">http://en.wikipedia.org/wiki/Caja_project). So I expect the browser internals to take care of authentication, with no scripting and no user interface involved. This is also why I'm avoiding the term "browser chrome" which smells of GUI: if you allow users into the loop, they will always make the rational decision and press Yes.
So here's my amended proposal again:
1. Users are authenticated to Facebook with a password, using a zero-knowledge password protocol (ZKPP), with authentication at the TLS or the HTTP layer.
2. In the future this can be extended to support other strong mutual auth schemes, like PSK or enterprise server+client certificates.
3. In any case, authentication is crypto-bound into the TLS-protected session (OK, let's assume Facebook sessions are TLS-protected...).
4. Passwords are stored in the browser's password manager. The browser doesn't "paste" the password into a form; rather, the browser only uses the password to run the client side of the ZKPP. This is done behind the scenes, the user doesn't get to see the plaintext password or even a row of asterisks. The browser implements ZKPP internally, with no scripts taking part in the process. In particular, browser-based scripts never get to see the password.
5. This is further hardened with an HSTS-like mechanism: only use this site if you can perform mutual authentication with it.
6. As a result of this scheme, users are trained *not* to enter their passwords explicitly, and will be suspicious when the see a "please enter your password" page. More importantly, they will have to work hard to get access to their password, which would discourage them from revealing the password to any arbitrary Web site.
Thanks,
Yaron
On 06/12/2011 01:42 AM, Nico Williams wrote:
On Sat, Jun 11, 2011 at 10:08 AM, Yaron Sheffer <yaronf@gmx.com> wrote:Let's assume the following: 1. Users are authenticated to Facebook with a password, using a zero-knowledge password protocol (ZKPP), with authentication at the TLS or the HTTP layer.So, mutual authentication. The specific mechanism doesn't matter, as long as it gives us mutual authentication in a way such that it doesn't suffer from the problems that the TLS server PKI does when it comes to authenticating the service.2. In any case, authentication is crypto-bound into the TLS-protected session (OK, let's assume Facebook sessions are TLS-protected...).So, channel binding. (Because we're not going to throw away our investment in TLS for transport protection, but we need to make sure there's no MITM there.)3. Passwords are stored in the browser's password manager. The browser doesn't "paste" the password into a form; rather, the browser only releases the password when going through the ZKPP. This is done behind the scenes, the user doesn't get to see the plaintext password or even a row of asterisks.Browser chrome, a TCB. What does "releases" here mean? Does it give the password plaintext to an untrusted script that implements the ZKPP?4. This is further hardened with an HSTS-like mechanism: only use this site if you can perform mutual authentication with it.Indeed!5. Also, users are trained *not* to enter their passwords explicitly, and will be suspicious when the see a "please enter your password" page.Right: death to echo-off text input elements in HTML!I suggest that this combination is well protected against phishing attacks, without having to rely on trusted JavaScript code or on fancy user interface elements.This (mutual auth + channel binding) is pretty much what some of us proposed at the W3C IDBROWSER workshop three weeks ago. (Instead of a ZKPP I propose we allow multiple different mechanisms, because there are different mechanisms that people will want to use depending on the context; Kerberos in the enterprise, GSS-EAP in the .edu cases and many others, etcetera.) But here's the gotcha: this can't be implemented in a script served by the site, because there's no way to know what the script intends to do with the password, and we haven't really authenticated the site yet, and if you think the TLS server PKI is enough, then why ask for mutual auth here? We could add a script signing PKI, but chances are it'd end up with the same faults as the TLS server PKI (namely: the CAs don't have any responsibility to the RPs, the public at large). This wouldn't eliminate all phishing attacks, but it would eliminate the kinds of phishing attacks that involve theft of credential by impersonating a service that a user wants to login to. Well, assuming the phisher can't trick the user into typing the password into an echo-off (or simulated echo-off) prompt, which is why browser chrome and things like SAS (secure attention sequence) matter, but still , we'd be making significant progress. Nico --
- Re: [http-auth] Tunisian/Syrian phishing attacks Yaron Sheffer
- Re: [http-auth] Tunisian/Syrian phishing attacks Nico Williams
- Re: [http-auth] Tunisian/Syrian phishing attacks Yaron Sheffer