Re: Recovery of compromised WebID

Sebastian,

due to decentralized and self-hosted nature of WebID, the potential of mass
identity theft is actually lower, compared to a centralized server with a
large number of accounts. So is WebID more secure that way, on a global
scale?

I think issues like these should be addressed in the W3C process advancing
WebID towards a Recommendation. Nobody could really answer me why that has
not happened yet.
On Mon, 4 Mar 2019 at 09.21, Sebastian Hellmann <
hellmann@informatik.uni-leipzig.de> wrote:

> Hi Martynas,
> On 04.03.19 00:00, Martynas Jusevičius wrote:
>
> Senastian,
>
> I understand your concern, but is that within the scope of an identity
> protocol? Sounds more like identity theft problem.
>
> If I seize your computer (which is arguably easier than seizing a server)
> and start using your OpenID, would the effect not be the same?
>
> That is not the point here. My main point is, that there is plenty of
> motive (personal, commercial or just for fun) AND opportunity. I fell like
> having a WebID in its current form and also a solid box is like leaving
> valuables open in your car and then announcing where you left it. Like they
> would open your BMW electronically, there are also experts who now server
> exploits.
>
> In the form it is now, just the fact that you have a WebID and a solid box
> might increase the number of hacking attacks, port scanners, etc. on your
> server. It would be equivalent to the attacks your browser has to
> withstand.
>
> My laptop is hardware encrypted, my browser has an extra password. So
> there are two good "even if" . I am missing these "even ifs" after you
> remove the first layer of security of WebID. Furthermore the protocol seems
> secure by having keywords like public/private key and TLS, when in fact a
> script kiddie could find an exploit on your server and render the strong
> private key and TLS security ineffective. De facto the security level can
> be much lower and it is not uniform across the protocol.
>
> identity protocol? Sounds more like identity theft problem.
>
> WebID - an identity protocol that creates new motives and opportunities
> for identity theft.
>
>
> For solid there are more dangers like SynoLocker:
> https://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware
>
> However, foremost, I am caring about the WebID protocol.
>
> All the best,
>
> Sebastian
>
>
>
> On Sun, 3 Mar 2019 at 23.49, Sebastian Hellmann <
> hellmann@informatik.uni-leipzig.de> wrote:
>
>> Thank you Martynas,
>>
>> this would add an extra layer of security. I would consider the whole
>> system moderately secure with this measure alone. At the moment, I would
>> discourage anybody from using WebID, with this I would judge it acceptable,
>> not great, but acceptable, since I think you would still be able to create
>> new accounts on additional websites, plus there needs to be a way to
>> recover from loss of private key.
>>
>> I would welcome one extra layer like the bitcoin (private key points to
>> address, not the other way round) or the CA signature of the WebID to
>> public key link. But there could be more elegant methods. Having *a
>> professional third party like a CA protecting the system* would however
>> take a lot of stress from individuals trying to secure their servers.
>>
>> -- Sebastian
>>
>>
>> On 03.03.19 19:35, Martynas Jusevičius wrote:
>>
>> Sebastian,
>>
>> WebID-TLS relies on you having authority over your WebID profile. If that
>> authority is compromised, your WebID identity is compromised as well.
>>
>> Isn’t there a pretty easy safeguard for this though? I think it would be
>> sufficient for the Verification Agent [1] to store a copy of the RDF
>> profile first time it sees a WebID, so it can notice when the public key
>> from the client certificate does not match it anymore.
>>
>> I think this is like storing public keys on GitHub. SSH is considered a
>> secure protocol, but connecting with any key is not enough - an extra step
>> is required for security.
>>
>> Martynas
>>
>> [1]
>> https://www.w3.org/2005/Incubator/webid/spec/tls/#verifying-the-webids
>>
>> On Sun, 3 Mar 2019 at 17.45, Sebastian Hellmann <
>> hellmann@informatik.uni-leipzig.de> wrote:
>>
>>> Hi Jonas,
>>>
>>> what you write confirms my fears.
>>> On 03.03.19 10:47, Jonas Smedegaard wrote:
>>>
>>> Quoting Sebastian Hellmann (2019-03-03 09:41:40)
>>>
>>> Hi Kingsley,
>>>
>>> you are writing a lot of text without answering my simple question:
>>>
>>> If I find a way to change your public key in your WebID to match my
>>> private key, can I log into your accounts with my private key?
>>>
>>> Your associated accounts for your WebID seem quite valuable already, I
>>> could target your employees with root access and make them an offer they
>>> can't refuse.
>>>
>>> What security measures against identity theft are in place and where can
>>> I read about them? This here is minimal: https://www.w3.org/2005/Incubator/webid/wiki/Identity_Security
>>>
>>> This is a WebID: https://dr.jones.dk/me/#me
>>>
>>> And here is a list of other domains pointing to it:
>>>
>>> anniqa.dkbassballs.dkbirgitmaanestraale.dkbyvandring.nucityseeing.dkcouchdesign.dkdns.jones.dkelectrohype.dkevent.jones.dkfeliciaweb.dkjones.dkkassandra-production.dklejlighederinc.orgmail.jones.dkmajasguf.dkmejeriet.oroe.dkparl.debian.netperilin.jones.dkpublic-e.dkressourceoptimering.dksolidbox.orgstadsvandring.dkwww.xpositionreverse.orgxayide.jones.dkxn--abcdefghijklmnopqrstuvxyz-0fc0a81c.dkxpositionreverse.org
>>>
>>> This takes three minutes here:
>>> https://hackertarget.com/reverse-ip-lookup/
>>>
>>> I am sure some of them are on the same server as your WebID and maybe I
>>> find a hole in them for accessing your webid  document directly or more
>>> subtle add a .htaccess rule .
>>>
>>>
>>> That is an identity. Just like "Jonas Smedegaard" is an identity.
>>>
>>> It is not secure against identity theft. It is just a URI.
>>>
>>> In itself this is cool and secure, but it is also a beacon for personal
>>> attacks. This is also worth the effort. If I hack into Kingsleys WebID and
>>> post some of his most silliest private pictures in social media with the
>>> note that he has been hacked, OpenLink will loose a lot of customers. The
>>> competitor who hacked him can pick them up. It can bring down whole
>>> companies, if you target the right persons. Also it is much more attractive
>>> to hack into TimBL's WebID than into the W3C site or his personal website.
>>>
>>>
>>> ***
>>>
>>> An RDF document is served at the URL of my WebID.
>>>
>>> That is an identifier.  Just like my birth certificate and my passport
>>> are identifiers.
>>>
>>> It is not secure against identity theft.  It is just a document.
>>>
>>> I see this differently. Birth certificate and passport are issued by
>>> trusted third parties and your passport contains hundreds of security
>>> measures, while the RDF document contains exactly 0.
>>>
>>> ***
>>>
>>> A public TLS key is contained within my WebID RDF document.
>>>
>>> That can be used for (the public part of) WebID+TLS authentication.
>>> Just as contacting the church where I was baptised to verify that
>>> they got a matching copy of my birth certificate, or call up the
>>> danish authorities to verify if they got matching credentials for
>>> my passport can authenticate identifiers for my other identities.
>>>
>>> The problem I have is that the unprotected RDF document Identity claim
>>> determines the way how this claim is verified. Personally, I see the
>>> private key as most secure thing and there are many better systems that
>>> point from the private key to the identifier, Bitcoin addresses for example
>>> and this is the level of security I would like to have for my WebID. In the
>>> most paranoid case, wearing it in an USB stick with only me knowing the
>>> password around my neck.
>>>
>>> There are also very good systems that provide excellent protection for
>>> individuals:
>>>
>>> * my credit card: basically my pin code can be compromised by the person
>>> behind me looking over my shoulder at the ice cream shop, but the contract
>>> I have limits my risk to 50€ in case of any fraud. Sometimes they even call
>>> me to verify suspicions.
>>>
>>> * The certificate authorities are quite an established system. So they
>>> could certify the link between my public/private key and my WebID. I would
>>> have an extra channel in case of private key loss and I think it is also
>>> possible to extend this trust to my agents acting as a CA and issuing lower
>>> level certificates.
>>>
>>> We tried to implement WebID: https://github.com/dbpedia/webid
>>>
>>> I also implemented a client that does requests every hour via the WebID
>>> system, basically curl with the private key and a self-signed certificate
>>> with the WebID as SAN . It is nothing critical, but it is a cronjob and in
>>> order for it to work I put the password for the webid in a plaintext config
>>> file. I only use the Webid and private key for this and everything is on
>>> the same server, but then 4 other people have root access there, which I
>>> trust completely.
>>>
>>> I knew that this compromises security a lot, but it is ok at the moment,
>>> since damage would be minimal. Now I feel, that I have to make a new
>>> public/private key for everything I implement and if one gets compromised
>>> somebody can create new accounts with my webid.
>>>
>>> Maybe there is a better way to do this, please tell me.
>>>
>>> All the best,
>>>
>>> Sebastian
>>>
>>>
>>> ***
>>>
>>> If you find a way to break into and manipulate my web server, or if you
>>> bribe the clerk at the church or the police department, then you can
>>> steal my identities.
>>>
>>> For WebID+TLS you would want to find flaws in TLS to break into the
>>> protocol of authenticating WebIDs _that_ way.  And similarly for other
>>> authentication protocols of WebID.
>>>
>>> There might be ways _specifically_ to how TLS to tied to WebID, and
>>> those might be flawed.  Which is what you found a document about.  But
>>> that document does not cover all the *other* ways you can gain control
>>> over my WebID, including simply showing up at my doorstep and kick me in
>>> the face with a bat until I hand over the private TLS key, or burn down
>>> my house (it is made of wood) to stop my server from running.
>>>
>>> What was your "simple question" again?
>>>
>>>
>>>  - Jonas
>>>
>>>
>>> --
>>> All the best,
>>> Sebastian Hellmann
>>>
>>> Director of Knowledge Integration and Linked Data Technologies (KILT)
>>> Competence Center
>>> at the Institute for Applied Informatics (InfAI) at Leipzig University
>>> Executive Director of the DBpedia Association
>>> Projects: http://dbpedia.org, http://nlp2rdf.org,
>>> http://linguistics.okfn.org, https://www.w3.org/community/ld4lt
>>> <http://www.w3.org/community/ld4lt>
>>> Homepage: http://aksw.org/SebastianHellmann
>>> Research Group: http://aksw.org
>>>
>> --
>> All the best,
>> Sebastian Hellmann
>>
>> Director of Knowledge Integration and Linked Data Technologies (KILT)
>> Competence Center
>> at the Institute for Applied Informatics (InfAI) at Leipzig University
>> Executive Director of the DBpedia Association
>> Projects: http://dbpedia.org, http://nlp2rdf.org,
>> http://linguistics.okfn.org, https://www.w3.org/community/ld4lt
>> <http://www.w3.org/community/ld4lt>
>> Homepage: http://aksw.org/SebastianHellmann
>> Research Group: http://aksw.org
>>
> --
> All the best,
> Sebastian Hellmann
>
> Director of Knowledge Integration and Linked Data Technologies (KILT)
> Competence Center
> at the Institute for Applied Informatics (InfAI) at Leipzig University
> Executive Director of the DBpedia Association
> Projects: http://dbpedia.org, http://nlp2rdf.org,
> http://linguistics.okfn.org, https://www.w3.org/community/ld4lt
> <http://www.w3.org/community/ld4lt>
> Homepage: http://aksw.org/SebastianHellmann
> Research Group: http://aksw.org
>

Received on Monday, 4 March 2019 08:45:59 UTC