- From: Sebastian Hellmann <hellmann@informatik.uni-leipzig.de>
- Date: Mon, 4 Mar 2019 10:00:09 +0100
- To: Martynas Jusevičius <martynas@atomgraph.com>
- Cc: Jonas Smedegaard <jonas@jones.dk>, Kingsley Idehen <kidehen@openlinksw.com>, public-webid@w3.org
- Message-ID: <2bbfbeb9-5617-2b46-0b35-564c059a24d3@informatik.uni-leipzig.de>
Hi Martynas, On 04.03.19 09:45, Martynas Jusevičius wrote: > Sebastian, > > due to decentralized and self-hosted nature of WebID, the potential of > mass identity theft is actually lower, compared to a centralized > server with a large number of accounts. So is WebID more secure that > way, on a global scale? I addressed this here: https://lists.w3.org/Archives/Public/public-webid/2019Mar/0009.html A centralized silo like Facebook, Google, Apple also has the resources to provide very high security, although they might be misusing the data. I am assuming that 70% of WebId users will have a low security level or at least several magnitudes lower than Facebook and the Pentagon and even these get hacked. Since each node has a URL it is easy to find and attack not like other P2P networks with changing IPs and anonymous users. While the decentralised nature is a security factor, it is not enough in my opinion. > > I think issues like these should be addressed in the W3C process > advancing WebID towards a Recommendation. Nobody could really answer > me why that has not happened yet. Isn't this the list to advance WebID? -- Sebastian > On Mon, 4 Mar 2019 at 09.21, Sebastian Hellmann > <hellmann@informatik.uni-leipzig.de > <mailto:hellmann@informatik.uni-leipzig.de>> wrote: > > Hi Martynas, > > On 04.03.19 00:00, Martynas Jusevičius wrote: >> Senastian, >> >> I understand your concern, but is that within the scope of an >> identity protocol? Sounds more like identity theft problem. >> >> If I seize your computer (which is arguably easier than seizing a >> server) and start using your OpenID, would the effect not be the >> same? >> > That is not the point here. My main point is, that there is plenty > of motive (personal, commercial or just for fun) AND opportunity. > I fell like having a WebID in its current form and also a solid > box is like leaving valuables open in your car and then announcing > where you left it. Like they would open your BMW electronically, > there are also experts who now server exploits. > > In the form it is now, just the fact that you have a WebID and a > solid box might increase the number of hacking attacks, port > scanners, etc. on your server. It would be equivalent to the > attacks your browser has to withstand. > > My laptop is hardware encrypted, my browser has an extra password. > So there are two good "even if" . I am missing these "even ifs" > after you remove the first layer of security of WebID. Furthermore > the protocol seems secure by having keywords like public/private > key and TLS, when in fact a script kiddie could find an exploit on > your server and render the strong private key and TLS security > ineffective. De facto the security level can be much lower and it > is not uniform across the protocol. > > >> identity protocol? Sounds more like identity theft problem. > > WebID - an identity protocol that creates new motives and > opportunities for identity theft. > > > For solid there are more dangers like SynoLocker: > https://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware > > > However, foremost, I am caring about the WebID protocol. > > All the best, > > Sebastian > > > >> On Sun, 3 Mar 2019 at 23.49, Sebastian Hellmann >> <hellmann@informatik.uni-leipzig.de >> <mailto:hellmann@informatik.uni-leipzig.de>> wrote: >> >> Thank you Martynas, >> >> this would add an extra layer of security. I would consider >> the whole system moderately secure with this measure alone. >> At the moment, I would discourage anybody from using WebID, >> with this I would judge it acceptable, not great, but >> acceptable, since I think you would still be able to create >> new accounts on additional websites, plus there needs to be a >> way to recover from loss of private key. >> >> I would welcome one extra layer like the bitcoin (private key >> points to address, not the other way round) or the CA >> signature of the WebID to public key link. But there could be >> more elegant methods. Having _a professional third party like >> a CA protecting the system_ would however take a lot of >> stress from individuals trying to secure their servers. >> >> -- Sebastian >> >> >> On 03.03.19 19:35, Martynas Jusevičius wrote: >>> Sebastian, >>> >>> WebID-TLS relies on you having authority over your WebID >>> profile. If that authority is compromised, your WebID >>> identity is compromised as well. >>> >>> Isn’t there a pretty easy safeguard for this though? I think >>> it would be sufficient for the Verification Agent [1] to >>> store a copy of the RDF profile first time it sees a WebID, >>> so it can notice when the public key from the client >>> certificate does not match it anymore. >>> >>> I think this is like storing public keys on GitHub. SSH is >>> considered a secure protocol, but connecting with any key is >>> not enough - an extra step is required for security. >>> >>> Martynas >>> >>> [1] >>> https://www.w3.org/2005/Incubator/webid/spec/tls/#verifying-the-webids >>> >>> On Sun, 3 Mar 2019 at 17.45, Sebastian Hellmann >>> <hellmann@informatik.uni-leipzig.de >>> <mailto:hellmann@informatik.uni-leipzig.de>> wrote: >>> >>> Hi Jonas, >>> >>> what you write confirms my fears. >>> >>> On 03.03.19 10:47, Jonas Smedegaard wrote: >>>> Quoting Sebastian Hellmann (2019-03-03 09:41:40) >>>>> Hi Kingsley, >>>>> >>>>> you are writing a lot of text without answering my simple question: >>>>> >>>>> If I find a way to change your public key in your WebID to match my >>>>> private key, can I log into your accounts with my private key? >>>>> >>>>> Your associated accounts for your WebID seem quite valuable already, I >>>>> could target your employees with root access and make them an offer they >>>>> can't refuse. >>>>> >>>>> What security measures against identity theft are in place and where can >>>>> I read about them? This here is minimal: >>>>> https://www.w3.org/2005/Incubator/webid/wiki/Identity_Security >>>> This is a WebID:https://dr.jones.dk/me/#me >>> >>> And here is a list of other domains pointing to it: >>> >>> anniqa.dk <http://anniqa.dk> >>> bassballs.dk <http://bassballs.dk> >>> birgitmaanestraale.dk <http://birgitmaanestraale.dk> >>> byvandring.nu <http://byvandring.nu> >>> cityseeing.dk <http://cityseeing.dk> >>> couchdesign.dk <http://couchdesign.dk> >>> dns.jones.dk <http://dns.jones.dk> >>> electrohype.dk <http://electrohype.dk> >>> event.jones.dk <http://event.jones.dk> >>> feliciaweb.dk <http://feliciaweb.dk> >>> jones.dk <http://jones.dk> >>> kassandra-production.dk <http://kassandra-production.dk> >>> lejlighederinc.org <http://lejlighederinc.org> >>> mail.jones.dk <http://mail.jones.dk> >>> majasguf.dk <http://majasguf.dk> >>> mejeriet.oroe.dk <http://mejeriet.oroe.dk> >>> parl.debian.net <http://parl.debian.net> >>> perilin.jones.dk <http://perilin.jones.dk> >>> public-e.dk <http://public-e.dk> >>> ressourceoptimering.dk <http://ressourceoptimering.dk> >>> solidbox.org <http://solidbox.org> >>> stadsvandring.dk <http://stadsvandring.dk> >>> www.xpositionreverse.org <http://www.xpositionreverse.org> >>> xayide.jones.dk <http://xayide.jones.dk> >>> xn--abcdefghijklmnopqrstuvxyz-0fc0a81c.dk <http://xn--abcdefghijklmnopqrstuvxyz-0fc0a81c.dk> >>> xpositionreverse.org <http://xpositionreverse.org> >>> >>> This takes three minutes here: >>> https://hackertarget.com/reverse-ip-lookup/ >>> >>> I am sure some of them are on the same server as your >>> WebID and maybe I find a hole in them for accessing your >>> webid document directly or more subtle add a .htaccess >>> rule . >>> >>> >>>> That is an identity. Just like "Jonas Smedegaard" is an identity. >>>> >>>> It is not secure against identity theft. It is just a URI. >>> >>> In itself this is cool and secure, but it is also a >>> beacon for personal attacks. This is also worth the >>> effort. If I hack into Kingsleys WebID and post some of >>> his most silliest private pictures in social media with >>> the note that he has been hacked, OpenLink will loose a >>> lot of customers. The competitor who hacked him can pick >>> them up. It can bring down whole companies, if you >>> target the right persons. Also it is much more >>> attractive to hack into TimBL's WebID than into the W3C >>> site or his personal website. >>> >>> >>>> *** >>>> >>>> An RDF document is served at the URL of my WebID. >>>> >>>> That is an identifier. Just like my birth certificate and my passport >>>> are identifiers. >>>> >>>> It is not secure against identity theft. It is just a document. >>> >>> I see this differently. Birth certificate and passport >>> are issued by trusted third parties and your passport >>> contains hundreds of security measures, while the RDF >>> document contains exactly 0. >>> >>>> *** >>>> >>>> A public TLS key is contained within my WebID RDF document. >>>> >>>> That can be used for (the public part of) WebID+TLS authentication. >>>> Just as contacting the church where I was baptised to verify that >>>> they got a matching copy of my birth certificate, or call up the >>>> danish authorities to verify if they got matching credentials for >>>> my passport can authenticate identifiers for my other identities. >>> >>> The problem I have is that the unprotected RDF document >>> Identity claim determines the way how this claim is >>> verified. Personally, I see the private key as most >>> secure thing and there are many better systems that >>> point from the private key to the identifier, Bitcoin >>> addresses for example and this is the level of security >>> I would like to have for my WebID. In the most paranoid >>> case, wearing it in an USB stick with only me knowing >>> the password around my neck. >>> >>> There are also very good systems that provide excellent >>> protection for individuals: >>> >>> * my credit card: basically my pin code can be >>> compromised by the person behind me looking over my >>> shoulder at the ice cream shop, but the contract I have >>> limits my risk to 50€ in case of any fraud. Sometimes >>> they even call me to verify suspicions. >>> >>> * The certificate authorities are quite an established >>> system. So they could certify the link between my >>> public/private key and my WebID. I would have an extra >>> channel in case of private key loss and I think it is >>> also possible to extend this trust to my agents acting >>> as a CA and issuing lower level certificates. >>> >>> We tried to implement WebID: >>> https://github.com/dbpedia/webid >>> >>> I also implemented a client that does requests every >>> hour via the WebID system, basically curl with the >>> private key and a self-signed certificate with the WebID >>> as SAN . It is nothing critical, but it is a cronjob and >>> in order for it to work I put the password for the webid >>> in a plaintext config file. I only use the Webid and >>> private key for this and everything is on the same >>> server, but then 4 other people have root access there, >>> which I trust completely. >>> >>> I knew that this compromises security a lot, but it is >>> ok at the moment, since damage would be minimal. Now I >>> feel, that I have to make a new public/private key for >>> everything I implement and if one gets compromised >>> somebody can create new accounts with my webid. >>> >>> Maybe there is a better way to do this, please tell me. >>> >>> All the best, >>> >>> Sebastian >>> >>> >>>> *** >>>> >>>> If you find a way to break into and manipulate my web server, or if you >>>> bribe the clerk at the church or the police department, then you can >>>> steal my identities. >>>> >>>> For WebID+TLS you would want to find flaws in TLS to break into the >>>> protocol of authenticating WebIDs _that_ way. And similarly for other >>>> authentication protocols of WebID. >>>> >>>> There might be ways _specifically_ to how TLS to tied to WebID, and >>>> those might be flawed. Which is what you found a document about. But >>>> that document does not cover all the *other* ways you can gain control >>>> over my WebID, including simply showing up at my doorstep and kick me in >>>> the face with a bat until I hand over the private TLS key, or burn down >>>> my house (it is made of wood) to stop my server from running. >>>> >>>> What was your "simple question" again? >>>> >>>> >>>> - Jonas >>>> >>> -- >>> All the best, >>> Sebastian Hellmann >>> >>> Director of Knowledge Integration and Linked Data >>> Technologies (KILT) Competence Center >>> at the Institute for Applied Informatics (InfAI) at >>> Leipzig University >>> Executive Director of the DBpedia Association >>> Projects: http://dbpedia.org, http://nlp2rdf.org, >>> http://linguistics.okfn.org, >>> https://www.w3.org/community/ld4lt >>> <http://www.w3.org/community/ld4lt> >>> Homepage: http://aksw.org/SebastianHellmann >>> Research Group: http://aksw.org >>> >> -- >> All the best, >> Sebastian Hellmann >> >> Director of Knowledge Integration and Linked Data >> Technologies (KILT) Competence Center >> at the Institute for Applied Informatics (InfAI) at Leipzig >> University >> Executive Director of the DBpedia Association >> Projects: http://dbpedia.org, http://nlp2rdf.org, >> http://linguistics.okfn.org, >> https://www.w3.org/community/ld4lt >> <http://www.w3.org/community/ld4lt> >> Homepage: http://aksw.org/SebastianHellmann >> Research Group: http://aksw.org >> > -- > All the best, > Sebastian Hellmann > > Director of Knowledge Integration and Linked Data Technologies > (KILT) Competence Center > at the Institute for Applied Informatics (InfAI) at Leipzig University > Executive Director of the DBpedia Association > Projects: http://dbpedia.org, http://nlp2rdf.org, > http://linguistics.okfn.org, https://www.w3.org/community/ld4lt > <http://www.w3.org/community/ld4lt> > Homepage: http://aksw.org/SebastianHellmann > Research Group: http://aksw.org > -- All the best, Sebastian Hellmann Director of Knowledge Integration and Linked Data Technologies (KILT) Competence Center at the Institute for Applied Informatics (InfAI) at Leipzig University Executive Director of the DBpedia Association Projects: http://dbpedia.org, http://nlp2rdf.org, http://linguistics.okfn.org, https://www.w3.org/community/ld4lt <http://www.w3.org/community/ld4lt> Homepage: http://aksw.org/SebastianHellmann Research Group: http://aksw.org
Received on Monday, 4 March 2019 09:00:43 UTC