Re: [TLS] Straw poll on TLS SRP status

To: tls at ietf.org, "Kemp, David P." <DPKemp at missi.ncsc.mil>
Subject: Re: [TLS] Straw poll on TLS SRP status
From: Yoav Nir <ynir at checkpoint.com>
Date: Tue, 5 Jun 2007 08:38:32 +0300
Cc:
In-reply-to: <FA998122A677CF4390C1E291BFCF598907850FE7@EXCH.missi.ncsc.mil>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <200705301914.l4UJEKMm003461@fs4113.wdf.sap.corp> <E1Hu5gP-0004gU-00@medusa01.cs.auckland.ac.nz> <FA998122A677CF4390C1E291BFCF598907850FE7@EXCH.missi.ncsc.mil>

IMO SRP provides a significant advantage.

I think point #2 in your scenario is a little overstated. Many users will look for the padlock. They may not check the authenticated server name, and they will fall for plausible variations, but it's relatively easy to educate them to look for the padlock.

SRP raises the bar, because once it's widespread, weird server names become meaningless. All you need to do is educate the user that you never enter passwords on a form, only in the browser special window. Browser makers can make visual clues that are hard to imitate in HTML to differentiate the password window from anything coming from the server. Think of the screen dimming that some Linux variations (like Ubuntu) give you when they ask for the administrator password.

That way, if the server is an illegitimate phishing server, it (1) doesn't get your password, and (2) fails authentication.

With SRP (whether directly in TLS or through EAP) you can reduce the requirements from the user to (1) make sure it's SSL (starts with https, colored yellow, padlock) (2) Only enter passwords in the password window, not on a form.

I think these two are learnable for the majority of users. Can't say the same for verifying server DN.

On Jun 4, 2007, at 10:17 PM, Kemp, David P. wrote:

Peter,

I don't see how either #1 or #2 would have much impact on phishing.

Scenario:
1) Server-authenticated TLS to a phishing server with a plausible
   variation on a targeted legitimate server name
2) User ignores padlock and other cert-related HMI information
  (if the user actually checked the authenticated server name and
   recoiled in horror if not as expected, then phishing would not
   be a problem)
3) User authenticates with a) nothing, b) http basic auth, c) client
   cert, or d) SRP - it doesn't matter which
4) Phishing server puts up a form that says: enter SSN, mother's
   maiden name, and password.

If someone is phishing for information to enable identity theft,
then user authentication has no preventive benefit
whatsoever.  If someone is phishing for passwords for online
accounts, then the users who don't check server authentication
are also unlikely to non-comply with a socially-engineered
request to enter their password into a form.

SRP might raise the bar on password phishing slightly, but not
significantly.  And the bar on phishing for everything except
a targeted server's password would not be raised at all.

The way to prevent phishing is to make server authentication
work.  Attacking this problem with client authentication is like
driving screws with a hammer.  Any mechanism that permits the
user to know his password is vulnerable to phishing.  And any
password mechanism that is not vulnerable to phishing, like a browser
module that invisibly generates random passwords for TLS
authenticated web sites and only regurgitates a password to
the site it was generated for, has the same operational issues
as client certs (server needs to request password generation,
user needs to carry p12s for portability to other machines, etc).

Dave


-----Original Message-----
From: Peter Gutmann [mailto:pgut001 at cs.auckland.ac.nz]

Anyway, there are two solutions:

1. Sit back and wait for client certs to start working. Hey, we've been waiting for fifteen-odd years already, they've gotta start working at some point, right?

2. Accept that username+password isn't going to go away (ever) and try
and fix
   it by providing a proper security mechanism for it (mutual-auth
challenge-
   response, for example).

I'm going for #2, which would seriously impact phishing if properly
implemented (admittedly it's not a silver bullet, but it'd seriously
raise the
bar for phishing attacks, which is a step in the right direction).

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Straw poll on TLS SRP status
  - From: Martin Rex
- Re: [TLS] Straw poll on TLS SRP status
  - From: Peter Gutmann
- RE: [TLS] Straw poll on TLS SRP status
  - From: Kemp, David P.

Prev by Date: Re: [TLS] Straw poll on TLS SRP status
Next by Date: Re: [TLS] Straw poll on TLS SRP status
Previous by thread: RE: [TLS] Straw poll on TLS SRP status
Next by thread: RE: [TLS] Straw poll on TLS SRP status
Index(es):
- Date
- Thread

Re: [TLS] Straw poll on TLS SRP status

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.