Re: same-origin assertions in the DNS (Fwd: [apps-discuss] draft-sullivan-domain-origin-assert-00) from Adam Barth on 2012-05-10 (public-web-security@w3.org from May 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 9 May 2012 23:41:58 -0700
To: Andrew Sullivan <ajs@anvilwalrusden.com>
Cc: Henrik Nordström <henrik@henriknordstrom.net>, Maciej Stachowiak <mjs@apple.com>, Peter Saint-Andre <stpeter@stpeter.im>, Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>
Message-ID: <CAJE5ia9MGtx9TDbVNqR4L-z6osHYbczpcQjju_iuBMV_o6B2rQ@mail.gmail.com>

[As an individual]

On Wed, May 9, 2012 at 11:25 PM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
> I'm responding to two messages at once because I didn't receive the
> earlier of these.  I should note that I'm not actually a subscriber to
> any w3c list, and so if one wants me to address a particular objection
> one needs to cc: me for the time being.  I appreciate the comments,
> however!
>
> On Thu, May 10, 2012 at 07:17:40AM +0200, Henrik Nordström wrote:
>> ons 2012-05-09 klockan 22:10 -0700 skrev Maciej Stachowiak:
>>
>> > Treating separate domains as same-origin based on DNS records seems
>> > extremely dangerous
>
> I'm not sure how I can respond to this objection, given that the
> entire idea of "same origin" without DNS is hard for me to understand.
> What do you mean by it?

Not all origins are based on DNS names.  For example, Chrome
extensions use origins based on public keys:

chrome-extension://dkjkhnleklkkccenbnlohlbkbdpdobdb

where dkjkhnleklkkccenbnlohlbkbdpdobdb is a digest of a public key.
In particular, DNS entries for dkjkhnleklkkccenbnlohlbkbdpdobdb (or
any DNS entries for that matter) ought not to open this origin up to attack.

Notice that the scheme is an essential part of the origin security
model.  Disregarding it, as your draft appears to do, is a serious
vulnerability and will prevent it from being implemented by browsers.

> I think the draft actually points out that,
> if both sides don't agree or you're not using DNSSEC (or both), there
> are problems.  Is that not clear enough?

Clarity isn't the issue.  The problem is that the approach you've
outlined isn't secure.

>> Further, the user-agent may be using proxies, not using or even having
>> access to DNS.
>
> Indeed, and I thought I called that out as one of the central
> problems:
>
> 6.  Limitations of the approach
> […]
>   Finally, in many environments the system hosting the application has
>   only proxied access to the Internet, and cannot query the DNS
>   directly.  It is not clear how such clients could ever possibly
>   retrieve the BOUND record for a name.
>
> Is that not clear enough?  What would make it clearer?

Again, clarity isn't the issue.  The issue is that this limitation
will prevent browsers from implementing this mechanism.

Adam

Received on Thursday, 10 May 2012 06:43:05 UTC