- From: Sebastian Hellmann <hellmann@informatik.uni-leipzig.de>
- Date: Sun, 3 Mar 2019 17:43:27 +0100
- To: Jonas Smedegaard <jonas@jones.dk>, Kingsley Idehen <kidehen@openlinksw.com>, public-webid@w3.org
- Message-ID: <6cccd569-912c-2084-86fe-df125cf317d6@informatik.uni-leipzig.de>
Hi Jonas, what you write confirms my fears. On 03.03.19 10:47, Jonas Smedegaard wrote: > Quoting Sebastian Hellmann (2019-03-03 09:41:40) >> Hi Kingsley, >> >> you are writing a lot of text without answering my simple question: >> >> If I find a way to change your public key in your WebID to match my >> private key, can I log into your accounts with my private key? >> >> Your associated accounts for your WebID seem quite valuable already, I >> could target your employees with root access and make them an offer they >> can't refuse. >> >> What security measures against identity theft are in place and where can >> I read about them? This here is minimal: >> https://www.w3.org/2005/Incubator/webid/wiki/Identity_Security > This is a WebID: https://dr.jones.dk/me/#me And here is a list of other domains pointing to it: anniqa.dk bassballs.dk birgitmaanestraale.dk byvandring.nu cityseeing.dk couchdesign.dk dns.jones.dk electrohype.dk event.jones.dk feliciaweb.dk jones.dk kassandra-production.dk lejlighederinc.org mail.jones.dk majasguf.dk mejeriet.oroe.dk parl.debian.net perilin.jones.dk public-e.dk ressourceoptimering.dk solidbox.org stadsvandring.dk www.xpositionreverse.org xayide.jones.dk xn--abcdefghijklmnopqrstuvxyz-0fc0a81c.dk xpositionreverse.org This takes three minutes here: https://hackertarget.com/reverse-ip-lookup/ I am sure some of them are on the same server as your WebID and maybe I find a hole in them for accessing your webid document directly or more subtle add a .htaccess rule . > That is an identity. Just like "Jonas Smedegaard" is an identity. > > It is not secure against identity theft. It is just a URI. In itself this is cool and secure, but it is also a beacon for personal attacks. This is also worth the effort. If I hack into Kingsleys WebID and post some of his most silliest private pictures in social media with the note that he has been hacked, OpenLink will loose a lot of customers. The competitor who hacked him can pick them up. It can bring down whole companies, if you target the right persons. Also it is much more attractive to hack into TimBL's WebID than into the W3C site or his personal website. > *** > > An RDF document is served at the URL of my WebID. > > That is an identifier. Just like my birth certificate and my passport > are identifiers. > > It is not secure against identity theft. It is just a document. I see this differently. Birth certificate and passport are issued by trusted third parties and your passport contains hundreds of security measures, while the RDF document contains exactly 0. > *** > > A public TLS key is contained within my WebID RDF document. > > That can be used for (the public part of) WebID+TLS authentication. > Just as contacting the church where I was baptised to verify that > they got a matching copy of my birth certificate, or call up the > danish authorities to verify if they got matching credentials for > my passport can authenticate identifiers for my other identities. The problem I have is that the unprotected RDF document Identity claim determines the way how this claim is verified. Personally, I see the private key as most secure thing and there are many better systems that point from the private key to the identifier, Bitcoin addresses for example and this is the level of security I would like to have for my WebID. In the most paranoid case, wearing it in an USB stick with only me knowing the password around my neck. There are also very good systems that provide excellent protection for individuals: * my credit card: basically my pin code can be compromised by the person behind me looking over my shoulder at the ice cream shop, but the contract I have limits my risk to 50€ in case of any fraud. Sometimes they even call me to verify suspicions. * The certificate authorities are quite an established system. So they could certify the link between my public/private key and my WebID. I would have an extra channel in case of private key loss and I think it is also possible to extend this trust to my agents acting as a CA and issuing lower level certificates. We tried to implement WebID: https://github.com/dbpedia/webid I also implemented a client that does requests every hour via the WebID system, basically curl with the private key and a self-signed certificate with the WebID as SAN . It is nothing critical, but it is a cronjob and in order for it to work I put the password for the webid in a plaintext config file. I only use the Webid and private key for this and everything is on the same server, but then 4 other people have root access there, which I trust completely. I knew that this compromises security a lot, but it is ok at the moment, since damage would be minimal. Now I feel, that I have to make a new public/private key for everything I implement and if one gets compromised somebody can create new accounts with my webid. Maybe there is a better way to do this, please tell me. All the best, Sebastian > > *** > > If you find a way to break into and manipulate my web server, or if you > bribe the clerk at the church or the police department, then you can > steal my identities. > > For WebID+TLS you would want to find flaws in TLS to break into the > protocol of authenticating WebIDs _that_ way. And similarly for other > authentication protocols of WebID. > > There might be ways _specifically_ to how TLS to tied to WebID, and > those might be flawed. Which is what you found a document about. But > that document does not cover all the *other* ways you can gain control > over my WebID, including simply showing up at my doorstep and kick me in > the face with a bat until I hand over the private TLS key, or burn down > my house (it is made of wood) to stop my server from running. > > What was your "simple question" again? > > > - Jonas > -- All the best, Sebastian Hellmann Director of Knowledge Integration and Linked Data Technologies (KILT) Competence Center at the Institute for Applied Informatics (InfAI) at Leipzig University Executive Director of the DBpedia Association Projects: http://dbpedia.org, http://nlp2rdf.org, http://linguistics.okfn.org, https://www.w3.org/community/ld4lt <http://www.w3.org/community/ld4lt> Homepage: http://aksw.org/SebastianHellmann Research Group: http://aksw.org
Received on Sunday, 3 March 2019 16:44:03 UTC