Re: Recovery of compromised WebID

Hi Martynas,

On 04.03.19 00:00, Martynas Jusevičius wrote:
> Senastian,
>
> I understand your concern, but is that within the scope of an identity 
> protocol? Sounds more like identity theft problem.
>
> If I seize your computer (which is arguably easier than seizing a 
> server) and start using your OpenID, would the effect not be the same?
>
That is not the point here. My main point is, that there is plenty of 
motive (personal, commercial or just for fun) AND opportunity. I fell 
like having a WebID in its current form and also a solid box is like 
leaving valuables open in your car and then announcing where you left 
it. Like they would open your BMW electronically, there are also experts 
who now server exploits.

In the form it is now, just the fact that you have a WebID and a solid 
box might increase the number of hacking attacks, port scanners, etc. on 
your server. It would be equivalent to the attacks your browser has to 
withstand.

My laptop is hardware encrypted, my browser has an extra password. So 
there are two good "even if" . I am missing these "even ifs" after you 
remove the first layer of security of WebID. Furthermore the protocol 
seems secure by having keywords like public/private key and TLS, when in 
fact a script kiddie could find an exploit on your server and render the 
strong private key and TLS security ineffective. De facto the security 
level can be much lower and it is not uniform across the protocol.


> identity protocol? Sounds more like identity theft problem.

WebID - an identity protocol that creates new motives and opportunities 
for identity theft.


For solid there are more dangers like SynoLocker: 
https://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware 


However, foremost, I am caring about the WebID protocol.

All the best,

Sebastian



> On Sun, 3 Mar 2019 at 23.49, Sebastian Hellmann 
> <hellmann@informatik.uni-leipzig.de 
> <mailto:hellmann@informatik.uni-leipzig.de>> wrote:
>
>     Thank you Martynas,
>
>     this would add an extra layer of security. I would consider the
>     whole system moderately secure with this measure alone. At the
>     moment, I would discourage anybody from using WebID, with this I
>     would judge it acceptable, not great, but acceptable, since I
>     think you would still be able to create new accounts on additional
>     websites, plus there needs to be a way to recover from loss of
>     private key.
>
>     I would welcome one extra layer like the bitcoin (private key
>     points to address, not the other way round) or the CA signature of
>     the WebID to public key link. But there could be more elegant
>     methods. Having _a professional third party like a CA protecting
>     the system_ would however take a lot of stress from individuals
>     trying to secure their servers.
>
>     -- Sebastian
>
>
>     On 03.03.19 19:35, Martynas Jusevičius wrote:
>>     Sebastian,
>>
>>     WebID-TLS relies on you having authority over your WebID profile.
>>     If that authority is compromised, your WebID identity is
>>     compromised as well.
>>
>>     Isn’t there a pretty easy safeguard for this though? I think it
>>     would be sufficient for the Verification Agent [1] to store a
>>     copy of the RDF profile first time it sees a WebID, so it can
>>     notice when the public key from the client certificate does not
>>     match it anymore.
>>
>>     I think this is like storing public keys on GitHub. SSH is
>>     considered a secure protocol, but connecting with any key is not
>>     enough - an extra step is required for security.
>>
>>     Martynas
>>
>>     [1]
>>     https://www.w3.org/2005/Incubator/webid/spec/tls/#verifying-the-webids
>>
>>     On Sun, 3 Mar 2019 at 17.45, Sebastian Hellmann
>>     <hellmann@informatik.uni-leipzig.de
>>     <mailto:hellmann@informatik.uni-leipzig.de>> wrote:
>>
>>         Hi Jonas,
>>
>>         what you write confirms my fears.
>>
>>         On 03.03.19 10:47, Jonas Smedegaard wrote:
>>>         Quoting Sebastian Hellmann (2019-03-03 09:41:40)
>>>>         Hi Kingsley,
>>>>
>>>>         you are writing a lot of text without answering my simple question:
>>>>
>>>>         If I find a way to change your public key in your WebID to match my
>>>>         private key, can I log into your accounts with my private key?
>>>>
>>>>         Your associated accounts for your WebID seem quite valuable already, I
>>>>         could target your employees with root access and make them an offer they
>>>>         can't refuse.
>>>>
>>>>         What security measures against identity theft are in place and where can
>>>>         I read about them? This here is minimal:
>>>>         https://www.w3.org/2005/Incubator/webid/wiki/Identity_Security
>>>         This is a WebID:https://dr.jones.dk/me/#me
>>
>>         And here is a list of other domains pointing to it:
>>
>>         anniqa.dk  <http://anniqa.dk>
>>         bassballs.dk  <http://bassballs.dk>
>>         birgitmaanestraale.dk  <http://birgitmaanestraale.dk>
>>         byvandring.nu  <http://byvandring.nu>
>>         cityseeing.dk  <http://cityseeing.dk>
>>         couchdesign.dk  <http://couchdesign.dk>
>>         dns.jones.dk  <http://dns.jones.dk>
>>         electrohype.dk  <http://electrohype.dk>
>>         event.jones.dk  <http://event.jones.dk>
>>         feliciaweb.dk  <http://feliciaweb.dk>
>>         jones.dk  <http://jones.dk>
>>         kassandra-production.dk  <http://kassandra-production.dk>
>>         lejlighederinc.org  <http://lejlighederinc.org>
>>         mail.jones.dk  <http://mail.jones.dk>
>>         majasguf.dk  <http://majasguf.dk>
>>         mejeriet.oroe.dk  <http://mejeriet.oroe.dk>
>>         parl.debian.net  <http://parl.debian.net>
>>         perilin.jones.dk  <http://perilin.jones.dk>
>>         public-e.dk  <http://public-e.dk>
>>         ressourceoptimering.dk  <http://ressourceoptimering.dk>
>>         solidbox.org  <http://solidbox.org>
>>         stadsvandring.dk  <http://stadsvandring.dk>
>>         www.xpositionreverse.org  <http://www.xpositionreverse.org>
>>         xayide.jones.dk  <http://xayide.jones.dk>
>>         xn--abcdefghijklmnopqrstuvxyz-0fc0a81c.dk  <http://xn--abcdefghijklmnopqrstuvxyz-0fc0a81c.dk>
>>         xpositionreverse.org  <http://xpositionreverse.org>
>>
>>         This takes three minutes here:
>>         https://hackertarget.com/reverse-ip-lookup/
>>
>>         I am sure some of them are on the same server as your WebID
>>         and maybe I find a hole in them for accessing your webid 
>>         document directly or more subtle add a .htaccess rule .
>>
>>
>>>         That is an identity. Just like "Jonas Smedegaard" is an identity.
>>>
>>>         It is not secure against identity theft. It is just a URI.
>>
>>         In itself this is cool and secure, but it is also a beacon
>>         for personal attacks. This is also worth the effort. If I
>>         hack into Kingsleys WebID and post some of his most silliest
>>         private pictures in social media with the note that he has
>>         been hacked, OpenLink will loose a lot of customers. The
>>         competitor who hacked him can pick them up. It can bring down
>>         whole companies, if you target the right persons. Also it is
>>         much more attractive to hack into TimBL's WebID than into the
>>         W3C site or his personal website.
>>
>>
>>>         ***
>>>
>>>         An RDF document is served at the URL of my WebID.
>>>
>>>         That is an identifier.  Just like my birth certificate and my passport
>>>         are identifiers.
>>>
>>>         It is not secure against identity theft.  It is just a document.
>>
>>         I see this differently. Birth certificate and passport are
>>         issued by trusted third parties and your passport contains
>>         hundreds of security measures, while the RDF document
>>         contains exactly 0.
>>
>>>         ***
>>>
>>>         A public TLS key is contained within my WebID RDF document.
>>>
>>>         That can be used for (the public part of) WebID+TLS authentication.
>>>         Just as contacting the church where I was baptised to verify that
>>>         they got a matching copy of my birth certificate, or call up the
>>>         danish authorities to verify if they got matching credentials for
>>>         my passport can authenticate identifiers for my other identities.
>>
>>         The problem I have is that the unprotected RDF document
>>         Identity claim determines the way how this claim is verified.
>>         Personally, I see the private key as most secure thing and
>>         there are many better systems that point from the private key
>>         to the identifier, Bitcoin addresses for example and this is
>>         the level of security I would like to have for my WebID. In
>>         the most paranoid case, wearing it in an USB stick with only
>>         me knowing the password around my neck.
>>
>>         There are also very good systems that provide excellent
>>         protection for individuals:
>>
>>         * my credit card: basically my pin code can be compromised by
>>         the person behind me looking over my shoulder at the ice
>>         cream shop, but the contract I have limits my risk to 50€ in
>>         case of any fraud. Sometimes they even call me to verify
>>         suspicions.
>>
>>         * The certificate authorities are quite an established
>>         system. So they could certify the link between my
>>         public/private key and my WebID. I would have an extra
>>         channel in case of private key loss and I think it is also
>>         possible to extend this trust to my agents acting as a CA and
>>         issuing lower level certificates.
>>
>>         We tried to implement WebID: https://github.com/dbpedia/webid
>>
>>         I also implemented a client that does requests every hour via
>>         the WebID system, basically curl with the private key and a
>>         self-signed certificate with the WebID as SAN . It is nothing
>>         critical, but it is a cronjob and in order for it to work I
>>         put the password for the webid in a plaintext config file. I
>>         only use the Webid and private key for this and everything is
>>         on the same server, but then 4 other people have root access
>>         there, which I trust completely.
>>
>>         I knew that this compromises security a lot, but it is ok at
>>         the moment, since damage would be minimal. Now I feel, that I
>>         have to make a new public/private key for everything I
>>         implement and if one gets compromised somebody can create new
>>         accounts with my webid.
>>
>>         Maybe there is a better way to do this, please tell me.
>>
>>         All the best,
>>
>>         Sebastian
>>
>>
>>>         ***
>>>
>>>         If you find a way to break into and manipulate my web server, or if you
>>>         bribe the clerk at the church or the police department, then you can
>>>         steal my identities.
>>>
>>>         For WebID+TLS you would want to find flaws in TLS to break into the
>>>         protocol of authenticating WebIDs _that_ way.  And similarly for other
>>>         authentication protocols of WebID.
>>>
>>>         There might be ways _specifically_ to how TLS to tied to WebID, and
>>>         those might be flawed.  Which is what you found a document about.  But
>>>         that document does not cover all the *other* ways you can gain control
>>>         over my WebID, including simply showing up at my doorstep and kick me in
>>>         the face with a bat until I hand over the private TLS key, or burn down
>>>         my house (it is made of wood) to stop my server from running.
>>>
>>>         What was your "simple question" again?
>>>
>>>
>>>           - Jonas
>>>
>>         -- 
>>         All the best,
>>         Sebastian Hellmann
>>
>>         Director of Knowledge Integration and Linked Data
>>         Technologies (KILT) Competence Center
>>         at the Institute for Applied Informatics (InfAI) at Leipzig
>>         University
>>         Executive Director of the DBpedia Association
>>         Projects: http://dbpedia.org, http://nlp2rdf.org,
>>         http://linguistics.okfn.org,
>>         https://www.w3.org/community/ld4lt
>>         <http://www.w3.org/community/ld4lt>
>>         Homepage: http://aksw.org/SebastianHellmann
>>         Research Group: http://aksw.org
>>
>     -- 
>     All the best,
>     Sebastian Hellmann
>
>     Director of Knowledge Integration and Linked Data Technologies
>     (KILT) Competence Center
>     at the Institute for Applied Informatics (InfAI) at Leipzig University
>     Executive Director of the DBpedia Association
>     Projects: http://dbpedia.org, http://nlp2rdf.org,
>     http://linguistics.okfn.org, https://www.w3.org/community/ld4lt
>     <http://www.w3.org/community/ld4lt>
>     Homepage: http://aksw.org/SebastianHellmann
>     Research Group: http://aksw.org
>
-- 
All the best,
Sebastian Hellmann

Director of Knowledge Integration and Linked Data Technologies (KILT) 
Competence Center
at the Institute for Applied Informatics (InfAI) at Leipzig University
Executive Director of the DBpedia Association
Projects: http://dbpedia.org, http://nlp2rdf.org, 
http://linguistics.okfn.org, https://www.w3.org/community/ld4lt 
<http://www.w3.org/community/ld4lt>
Homepage: http://aksw.org/SebastianHellmann
Research Group: http://aksw.org

Received on Monday, 4 March 2019 08:21:30 UTC