- From: Sebastian Hellmann <hellmann@informatik.uni-leipzig.de>
- Date: Sun, 3 Mar 2019 23:49:41 +0100
- To: Martynas Jusevičius <martynas@atomgraph.com>
- Cc: Jonas Smedegaard <jonas@jones.dk>, Kingsley Idehen <kidehen@openlinksw.com>, public-webid@w3.org
- Message-ID: <f854de10-6700-14aa-2e6a-d694b37b77ee@informatik.uni-leipzig.de>
Thank you Martynas, this would add an extra layer of security. I would consider the whole system moderately secure with this measure alone. At the moment, I would discourage anybody from using WebID, with this I would judge it acceptable, not great, but acceptable, since I think you would still be able to create new accounts on additional websites, plus there needs to be a way to recover from loss of private key. I would welcome one extra layer like the bitcoin (private key points to address, not the other way round) or the CA signature of the WebID to public key link. But there could be more elegant methods. Having _a professional third party like a CA protecting the system_ would however take a lot of stress from individuals trying to secure their servers. -- Sebastian On 03.03.19 19:35, Martynas Jusevičius wrote: > Sebastian, > > WebID-TLS relies on you having authority over your WebID profile. If > that authority is compromised, your WebID identity is compromised as well. > > Isn’t there a pretty easy safeguard for this though? I think it would > be sufficient for the Verification Agent [1] to store a copy of the > RDF profile first time it sees a WebID, so it can notice when the > public key from the client certificate does not match it anymore. > > I think this is like storing public keys on GitHub. SSH is considered > a secure protocol, but connecting with any key is not enough - an > extra step is required for security. > > Martynas > > [1] > https://www.w3.org/2005/Incubator/webid/spec/tls/#verifying-the-webids > > On Sun, 3 Mar 2019 at 17.45, Sebastian Hellmann > <hellmann@informatik.uni-leipzig.de > <mailto:hellmann@informatik.uni-leipzig.de>> wrote: > > Hi Jonas, > > what you write confirms my fears. > > On 03.03.19 10:47, Jonas Smedegaard wrote: >> Quoting Sebastian Hellmann (2019-03-03 09:41:40) >>> Hi Kingsley, >>> >>> you are writing a lot of text without answering my simple question: >>> >>> If I find a way to change your public key in your WebID to match my >>> private key, can I log into your accounts with my private key? >>> >>> Your associated accounts for your WebID seem quite valuable already, I >>> could target your employees with root access and make them an offer they >>> can't refuse. >>> >>> What security measures against identity theft are in place and where can >>> I read about them? This here is minimal: >>> https://www.w3.org/2005/Incubator/webid/wiki/Identity_Security >> This is a WebID:https://dr.jones.dk/me/#me > > And here is a list of other domains pointing to it: > > anniqa.dk <http://anniqa.dk> > bassballs.dk <http://bassballs.dk> > birgitmaanestraale.dk <http://birgitmaanestraale.dk> > byvandring.nu <http://byvandring.nu> > cityseeing.dk <http://cityseeing.dk> > couchdesign.dk <http://couchdesign.dk> > dns.jones.dk <http://dns.jones.dk> > electrohype.dk <http://electrohype.dk> > event.jones.dk <http://event.jones.dk> > feliciaweb.dk <http://feliciaweb.dk> > jones.dk <http://jones.dk> > kassandra-production.dk <http://kassandra-production.dk> > lejlighederinc.org <http://lejlighederinc.org> > mail.jones.dk <http://mail.jones.dk> > majasguf.dk <http://majasguf.dk> > mejeriet.oroe.dk <http://mejeriet.oroe.dk> > parl.debian.net <http://parl.debian.net> > perilin.jones.dk <http://perilin.jones.dk> > public-e.dk <http://public-e.dk> > ressourceoptimering.dk <http://ressourceoptimering.dk> > solidbox.org <http://solidbox.org> > stadsvandring.dk <http://stadsvandring.dk> > www.xpositionreverse.org <http://www.xpositionreverse.org> > xayide.jones.dk <http://xayide.jones.dk> > xn--abcdefghijklmnopqrstuvxyz-0fc0a81c.dk <http://xn--abcdefghijklmnopqrstuvxyz-0fc0a81c.dk> > xpositionreverse.org <http://xpositionreverse.org> > > This takes three minutes here: > https://hackertarget.com/reverse-ip-lookup/ > > I am sure some of them are on the same server as your WebID and > maybe I find a hole in them for accessing your webid document > directly or more subtle add a .htaccess rule . > > >> That is an identity. Just like "Jonas Smedegaard" is an identity. >> >> It is not secure against identity theft. It is just a URI. > > In itself this is cool and secure, but it is also a beacon for > personal attacks. This is also worth the effort. If I hack into > Kingsleys WebID and post some of his most silliest private > pictures in social media with the note that he has been hacked, > OpenLink will loose a lot of customers. The competitor who hacked > him can pick them up. It can bring down whole companies, if you > target the right persons. Also it is much more attractive to hack > into TimBL's WebID than into the W3C site or his personal website. > > >> *** >> >> An RDF document is served at the URL of my WebID. >> >> That is an identifier. Just like my birth certificate and my passport >> are identifiers. >> >> It is not secure against identity theft. It is just a document. > > I see this differently. Birth certificate and passport are issued > by trusted third parties and your passport contains hundreds of > security measures, while the RDF document contains exactly 0. > >> *** >> >> A public TLS key is contained within my WebID RDF document. >> >> That can be used for (the public part of) WebID+TLS authentication. >> Just as contacting the church where I was baptised to verify that >> they got a matching copy of my birth certificate, or call up the >> danish authorities to verify if they got matching credentials for >> my passport can authenticate identifiers for my other identities. > > The problem I have is that the unprotected RDF document Identity > claim determines the way how this claim is verified. Personally, I > see the private key as most secure thing and there are many better > systems that point from the private key to the identifier, Bitcoin > addresses for example and this is the level of security I would > like to have for my WebID. In the most paranoid case, wearing it > in an USB stick with only me knowing the password around my neck. > > There are also very good systems that provide excellent protection > for individuals: > > * my credit card: basically my pin code can be compromised by the > person behind me looking over my shoulder at the ice cream shop, > but the contract I have limits my risk to 50€ in case of any > fraud. Sometimes they even call me to verify suspicions. > > * The certificate authorities are quite an established system. So > they could certify the link between my public/private key and my > WebID. I would have an extra channel in case of private key loss > and I think it is also possible to extend this trust to my agents > acting as a CA and issuing lower level certificates. > > We tried to implement WebID: https://github.com/dbpedia/webid > > I also implemented a client that does requests every hour via the > WebID system, basically curl with the private key and a > self-signed certificate with the WebID as SAN . It is nothing > critical, but it is a cronjob and in order for it to work I put > the password for the webid in a plaintext config file. I only use > the Webid and private key for this and everything is on the same > server, but then 4 other people have root access there, which I > trust completely. > > I knew that this compromises security a lot, but it is ok at the > moment, since damage would be minimal. Now I feel, that I have to > make a new public/private key for everything I implement and if > one gets compromised somebody can create new accounts with my webid. > > Maybe there is a better way to do this, please tell me. > > All the best, > > Sebastian > > >> *** >> >> If you find a way to break into and manipulate my web server, or if you >> bribe the clerk at the church or the police department, then you can >> steal my identities. >> >> For WebID+TLS you would want to find flaws in TLS to break into the >> protocol of authenticating WebIDs _that_ way. And similarly for other >> authentication protocols of WebID. >> >> There might be ways _specifically_ to how TLS to tied to WebID, and >> those might be flawed. Which is what you found a document about. But >> that document does not cover all the *other* ways you can gain control >> over my WebID, including simply showing up at my doorstep and kick me in >> the face with a bat until I hand over the private TLS key, or burn down >> my house (it is made of wood) to stop my server from running. >> >> What was your "simple question" again? >> >> >> - Jonas >> > -- > All the best, > Sebastian Hellmann > > Director of Knowledge Integration and Linked Data Technologies > (KILT) Competence Center > at the Institute for Applied Informatics (InfAI) at Leipzig University > Executive Director of the DBpedia Association > Projects: http://dbpedia.org, http://nlp2rdf.org, > http://linguistics.okfn.org, https://www.w3.org/community/ld4lt > <http://www.w3.org/community/ld4lt> > Homepage: http://aksw.org/SebastianHellmann > Research Group: http://aksw.org > -- All the best, Sebastian Hellmann Director of Knowledge Integration and Linked Data Technologies (KILT) Competence Center at the Institute for Applied Informatics (InfAI) at Leipzig University Executive Director of the DBpedia Association Projects: http://dbpedia.org, http://nlp2rdf.org, http://linguistics.okfn.org, https://www.w3.org/community/ld4lt <http://www.w3.org/community/ld4lt> Homepage: http://aksw.org/SebastianHellmann Research Group: http://aksw.org
Received on Sunday, 3 March 2019 22:50:15 UTC