RE: phishing in IRIs from Shawn Steele on 2009-12-01 (public-iri@w3.org from December 2009)

From: Shawn Steele <Shawn.Steele@microsoft.com>
Date: Tue, 1 Dec 2009 02:15:40 +0000
To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Larry Masinter <masinter@adobe.com>
CC: "PUBLIC-IRI@W3.ORG" <PUBLIC-IRI@w3.org>, Pete Resnick <presnick@qualcomm.com>, Ted Hardie <ted.ietf@gmail.com>
Message-ID: <E14011F8737B524BB564B05FF748464A044585F1@TK5EX14MBXC139.redmond.corp.microsoft.>

I don't mind helping with a BCP or something regarding security, however as Martin says there're several approaches, so it's hard to say "do this...", it seems like it would have to be more of "things to watch out for".

Although I'm aware of several concerns with IRI security, others probably know more about actual exploits and problems with IRIs/URLs.  I'm more concerned with moderating the fear around IDN & homographs.

-Shawn

-----Original Message-----
From: "Martin J. Dürst" [mailto:duerst@it.aoyama.ac.jp] 
Sent: ???????, ???????? 27, ??? 2009 2:57
To: Larry Masinter
Cc: Shawn Steele; PUBLIC-IRI@W3.ORG; Pete Resnick; Ted Hardie
Subject: Re: phishing in IRIs

Hello Shawn, Larry,

On 2009/11/27 5:45, Larry Masinter wrote:
> I would support a separate, longer document addressing phishing in 
> particular; it would be great if this could be referenced by the IRI 
> document itself.

I don't have anything against documents on phishing at all, but it may be difficult to reference it from the IRI document because the IRI spec is supposed to be finished very soon.

Because of this and because of arguments given earlier, I agree with Shawn that spoofing/phishing should be essentially outside the WG charter.

> Perhaps
> it could be a BCP. This might be a way of getting specific review of 
> the broader security issues.
>
> Shawn, are you interested in editing such a document?
>
>
> I'd also suggest some coordination with the HTTPBIS security section:
> http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-08#section-
> 11
>
> "Phishers abuse domain name certainly, but they still use all-ASCII."
>
> The concern is that once IRIs with IDN are deployed that this will 
> create an entirely new, rich attack surface. Putting in preventative 
> measures before deployment rather than after-the-fact would be 
> prudent.

I agree that we cannot just say that IRI or IDN spoofing is a non-issue because it's currently a very small issue. However, my understanding is that the mechanisms currently in place against spoofing in Web browsers would easily extend to IDNs, so IDN spoofing or IRI spoofing doesn't have to be treated as an issue separate from domain name spoofing or URI spoofing.

[In my understanding, the two main measures against spoofing are trademark violation and related claims that make the registry remove the domain name in question, and "check-back-home" schemes implemented in various browsers that check against a known blacklist and warn users. 
But I might be wrong on this, I'm not an expert in this area.]

Regards,    Martin.

> Larry
> --
> http://larry.masinter.net
>
>
> -----Original Message-----
> From: Shawn Steele [mailto:Shawn.Steele@microsoft.com]
> Sent: Wednesday, November 25, 2009 12:12 PM
> To: "Martin J. Dürst"
> Cc: Larry Masinter; PUBLIC-IRI@W3.ORG; Pete Resnick; Ted Hardie
> Subject: RE: phishing in IRIs
>
>> What I am saying is that spoofing of IRIs with the domain name part is a much greater problem than spoofing with IRIs in the rest of the IRI.
>
> I don't disagree with that :)  But you extended it (I thought) to "the IDNs in the IRIs", which I don't see any evidence of.  Phishers abuse domain name certainly, but they still use all-ASCII.
>
>> The IETF has a tradition of putting security considerations in the main document, not as a separate document.
>
> I'm concerned that to fully address the issues of security considerations in IRIs would take quite a bit of space.  I'm also concerned that some aspects might be lead to a lot of discussion, as there probably isn't one "right" way to handle IRI security.  An effective security document for IRIs IMO would be comparable to trying to address how to handle spam in email.  So maybe the WG could consider mentioning some security concerns in the main document and provide a further document that describes security in more detail?  For example, I think the discussion of safe-yourbank.com IRIs is interesting, but I'm not sure the main document is the right place for all of that discussion.
>
> -Shawn
>
>

--
#-# Martin J. Dürst, Professor, Aoyama Gakuin University
#-# http://www.sw.it.aoyama.ac.jp   mailto:duerst@it.aoyama.ac.jp

Received on Tuesday, 1 December 2009 02:16:16 UTC