Re: Recovery of compromised WebID

Hi Jonas,

what you write confirms my fears.

On 03.03.19 10:47, Jonas Smedegaard wrote:
> Quoting Sebastian Hellmann (2019-03-03 09:41:40)
>> Hi Kingsley,
>>
>> you are writing a lot of text without answering my simple question:
>>
>> If I find a way to change your public key in your WebID to match my
>> private key, can I log into your accounts with my private key?
>>
>> Your associated accounts for your WebID seem quite valuable already, I
>> could target your employees with root access and make them an offer they
>> can't refuse.
>>
>> What security measures against identity theft are in place and where can
>> I read about them? This here is minimal:
>> https://www.w3.org/2005/Incubator/webid/wiki/Identity_Security
> This is a WebID: https://dr.jones.dk/me/#me

And here is a list of other domains pointing to it:

anniqa.dk
bassballs.dk
birgitmaanestraale.dk
byvandring.nu
cityseeing.dk
couchdesign.dk
dns.jones.dk
electrohype.dk
event.jones.dk
feliciaweb.dk
jones.dk
kassandra-production.dk
lejlighederinc.org
mail.jones.dk
majasguf.dk
mejeriet.oroe.dk
parl.debian.net
perilin.jones.dk
public-e.dk
ressourceoptimering.dk
solidbox.org
stadsvandring.dk
www.xpositionreverse.org
xayide.jones.dk
xn--abcdefghijklmnopqrstuvxyz-0fc0a81c.dk
xpositionreverse.org

This takes three minutes here: https://hackertarget.com/reverse-ip-lookup/

I am sure some of them are on the same server as your WebID and maybe I 
find a hole in them for accessing your webid  document directly or more 
subtle add a .htaccess rule .


> That is an identity. Just like "Jonas Smedegaard" is an identity.
>
> It is not secure against identity theft. It is just a URI.

In itself this is cool and secure, but it is also a beacon for personal 
attacks. This is also worth the effort. If I hack into Kingsleys WebID 
and post some of his most silliest private pictures in social media with 
the note that he has been hacked, OpenLink will loose a lot of 
customers. The competitor who hacked him can pick them up. It can bring 
down whole companies, if you target the right persons. Also it is much 
more attractive to hack into TimBL's WebID than into the W3C site or his 
personal website.


> ***
>
> An RDF document is served at the URL of my WebID.
>
> That is an identifier.  Just like my birth certificate and my passport
> are identifiers.
>
> It is not secure against identity theft.  It is just a document.

I see this differently. Birth certificate and passport are issued by 
trusted third parties and your passport contains hundreds of security 
measures, while the RDF document contains exactly 0.

> ***
>
> A public TLS key is contained within my WebID RDF document.
>
> That can be used for (the public part of) WebID+TLS authentication.
> Just as contacting the church where I was baptised to verify that
> they got a matching copy of my birth certificate, or call up the
> danish authorities to verify if they got matching credentials for
> my passport can authenticate identifiers for my other identities.

The problem I have is that the unprotected RDF document Identity claim 
determines the way how this claim is verified. Personally, I see the 
private key as most secure thing and there are many better systems that 
point from the private key to the identifier, Bitcoin addresses for 
example and this is the level of security I would like to have for my 
WebID. In the most paranoid case, wearing it in an USB stick with only 
me knowing the password around my neck.

There are also very good systems that provide excellent protection for 
individuals:

* my credit card: basically my pin code can be compromised by the person 
behind me looking over my shoulder at the ice cream shop, but the 
contract I have limits my risk to 50€ in case of any fraud. Sometimes 
they even call me to verify suspicions.

* The certificate authorities are quite an established system. So they 
could certify the link between my public/private key and my WebID. I 
would have an extra channel in case of private key loss and I think it 
is also possible to extend this trust to my agents acting as a CA and 
issuing lower level certificates.

We tried to implement WebID: https://github.com/dbpedia/webid

I also implemented a client that does requests every hour via the WebID 
system, basically curl with the private key and a self-signed 
certificate with the WebID as SAN . It is nothing critical, but it is a 
cronjob and in order for it to work I put the password for the webid in 
a plaintext config file. I only use the Webid and private key for this 
and everything is on the same server, but then 4 other people have root 
access there, which I trust completely.

I knew that this compromises security a lot, but it is ok at the moment, 
since damage would be minimal. Now I feel, that I have to make a new 
public/private key for everything I implement and if one gets 
compromised somebody can create new accounts with my webid.

Maybe there is a better way to do this, please tell me.

All the best,

Sebastian


>
> ***
>
> If you find a way to break into and manipulate my web server, or if you
> bribe the clerk at the church or the police department, then you can
> steal my identities.
>
> For WebID+TLS you would want to find flaws in TLS to break into the
> protocol of authenticating WebIDs _that_ way.  And similarly for other
> authentication protocols of WebID.
>
> There might be ways _specifically_ to how TLS to tied to WebID, and
> those might be flawed.  Which is what you found a document about.  But
> that document does not cover all the *other* ways you can gain control
> over my WebID, including simply showing up at my doorstep and kick me in
> the face with a bat until I hand over the private TLS key, or burn down
> my house (it is made of wood) to stop my server from running.
>
> What was your "simple question" again?
>
>
>   - Jonas
>
-- 
All the best,
Sebastian Hellmann

Director of Knowledge Integration and Linked Data Technologies (KILT) 
Competence Center
at the Institute for Applied Informatics (InfAI) at Leipzig University
Executive Director of the DBpedia Association
Projects: http://dbpedia.org, http://nlp2rdf.org, 
http://linguistics.okfn.org, https://www.w3.org/community/ld4lt 
<http://www.w3.org/community/ld4lt>
Homepage: http://aksw.org/SebastianHellmann
Research Group: http://aksw.org

Received on Sunday, 3 March 2019 16:44:03 UTC