W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Private Devices and IoT (was Proposal: Marking HTTP As Non-Secure)

From: Adam Langley <agl@chromium.org>
Date: Mon, 23 Feb 2015 10:32:18 -0800
Message-ID: <CAL9PXLxQpq3=e5eWkUa6yhsXyFycNFREWZ7VwW_1jPUqbR+uqA@mail.gmail.com>
To: noloader@gmail.com
Cc: Chris Palmer <palmer@google.com>, security-dev <security-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Sun, Feb 22, 2015 at 10:35 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> Hi Chris,
>
> Sorry to dig up an old thread.
>
>> Yes, I agree this is a problem. I am hoping to publish a proposal for
>> how UAs can authenticate private devices soon (in January probably).
>
> Were you able to publish something? I wanted to read more about what
> directions the solutions are moving towards.
>
> This just made my radar:
> http://blog.kaspersky.com/internet-of-crappy-things/, and I was
> wondering how much has been addressed and how much is hyperbole.

Chris has disappeared off to write a book for a few months and
promises to mostly not check email. I still have this idea in my head
but haven't written anything. In my formulation, it would be a PAKE
scheme based mutual authentication done above the TLS layer, but used
to confirm the certificate. Chris was thinking more along the lines of
a public-key hash in the URL, but wanted it to be useably short and
thus worryingly weak.


Cheers

AGL

>
> Thanks in advance.
>
> Jeff
>
> On Thu, Dec 18, 2014 at 2:33 PM, Chris Palmer <palmer@google.com> wrote:
>> On Thu, Dec 18, 2014 at 9:52 AM, jstriegel via blink-dev
>> <blink-dev@chromium.org> wrote:
>>
>>> I'd like to propose consideration of a fourth category:
>>> Personal Devices (home routers, printers, IoT, raspberry pis in classrooms, refrigerators):
>>>  - cannot, by nature, participate in DNS and CA systems
>>>  - likely on private network block
>>>  - user is the owner of the service, hence can trust self rather than CA
>>>
>>> Suggested use:
>>>  - IoT devices generate unique, self-signed cert
>>>  - Friendlier interstitial (Ie. "Is this a device you recognize?") for self-signed connections on *.local, 192.168.*, 10.*, or on same local network as browser.
>>>  - user approves use on first https connection
>>>  - browser remembers (device is promoted to "secure" status)
>>>
>>> A lot of IoT use cases could benefit from direct connection (not requiring a cloud service as secure data proxy), but this currently gives the scariest of Chrome warnings. This is probably why the average home router or firewall is administered over http.
>>
>> Yes, I agree this is a problem. I am hoping to publish a proposal for
>> how UAs can authenticate private devices soon (in January probably).
>>
>> A key goal is not having to ask the user "Is this a device you
>> recognize?" — I think we can get the UX flow even simpler, and still
>> be strong. Watch this space...
>>
Received on Wednesday, 25 February 2015 20:42:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC