- From: Ian Fette <ifette@google.com>
- Date: Thu, 11 Oct 2007 17:47:27 -0700
- To: "Serge Egelman" <egelman@cs.cmu.edu>
- Cc: "Close, Tyler J." <tyler.close@hp.com>, public-wsc-wg@w3.org
- Message-ID: <bbeaa26f0710111747vf2525efm91fa0ca85defe9be@mail.gmail.com>
Has some level of control, yes. But that doesn't address the second case, where ifette.googlepages.com is a phishing site, and I don't want Google's cert being used there... -Ian On 10/11/07, Serge Egelman <egelman@cs.cmu.edu> wrote: > > That's not what I said. ianfette.googlepages.com is still under the > googlepages.com domain. The person who controls the googlepages.com > domain still has control over the other subdomains. > > serge > > Ian Fette wrote: > > Not really... you have absolutely no way of knowing that > > ianfette.googlepages.com <http://ianfette.googlepages.com> is on the > > same server as googlepages.com <http://googlepages.com>. Given our > > architecture, I have no idea. It's a server we own, but it's not > > necessarily one of the googlepages.com <http://googlepages.com> servers. > > > > Also though, let's say that you have a phishing site at > > https://ifette.googlepages.com - I don't really know that I want a lock > > being displayed there, or whatever security indicators we display, based > > on Google's certificate. Right now most free web hosts aren't giving > > users SSL (that I know of), and this would be an easy way for an > > attacker to get free SSL with a pretty good cert. Not really ideal, and > > could even make us more of a target. Who knows, rampant speculation past > > this point... > > > > -Ian > > > > On 10/11/07, *Serge Egelman* <egelman@cs.cmu.edu > > <mailto:egelman@cs.cmu.edu>> wrote: > > > > ...and in that case it's still accurate. > > > > serge > > > > Ian Fette wrote: > > > Well, it's still an attestation to some level. It's not an > attestation > > > that you're talking with Google, but it is an attestation that > you're > > > talking with google.com <http://google.com> <http://google.com>. > > But beyond that I have no > > > good answer. > > > > > > On 10/11/07, *Serge Egelman* < egelman@cs.cmu.edu > > <mailto:egelman@cs.cmu.edu> > > > <mailto:egelman@cs.cmu.edu <mailto:egelman@cs.cmu.edu>>> wrote: > > > > > > Point taken. > > > > > > But what about certificates that are not attestations? E.g., > > anything > > > non-EV? > > > > > > serge > > > > > > Ian Fette wrote: > > > > The need to warn comes in around something like > > googlepages.com <http://googlepages.com> > > > < http://googlepages.com> > > > > <http://googlepages.com>. Right now, the management is all > under > > > > pages.google.com <http://pages.google.com> > > <http://pages.google.com> < > > > http://pages.google.com> and we use a SSL cert for > > > > google.com <http://google.com> <http://google.com> > > <http://google.com> for login etc. > > > But it is conceivable that > > > > at some point we might actually want to SSL enable > > > > https://www.googlepages.com for login, or who knows what. > > (This is > > > wild > > > > speculation, I don't work on the project, this is just an > > example). So > > > > we would then need a cert for googlepages.com > > <http://googlepages.com> > > > <http://googlepages.com> <http://googlepages.com > > <http://googlepages.com>>. > > > > But user content is located at username.googlepages.com > > <http://username.googlepages.com> > > > <http://username.googlepages.com > > > > > <http://username.googlepages.com>, and we really don't want > to > > > attest to > > > > anything about the identity of whatever is found at those > > > locations. So > > > > when you try to load https://ifette.googlepages.com under > this > > > scenario > > > > (where googlepages.com <http://googlepages.com> > > <http://googlepages.com> < > > > http://googlepages.com> is actually ssl enabled > > > > and serving up something), you had better get a warning. > > > > > > > > Subdomains are not *always* controlled (or rather, authored > > / attested > > > > to) by the owner of the higher-level domain, and it's not > > always a > > > safe > > > > assumption to make. You can make arguments about www being a > > special > > > > case, but beyond that... > > > > > > > > -Ian > > > > > > > > On 10/11/07, *Serge Egelman* <egelman@cs.cmu.edu > > <mailto:egelman@cs.cmu.edu> > > > <mailto: egelman@cs.cmu.edu <mailto:egelman@cs.cmu.edu>> > > > > <mailto:egelman@cs.cmu.edu <mailto:egelman@cs.cmu.edu> > > <mailto:egelman@cs.cmu.edu <mailto:egelman@cs.cmu.edu>>>> wrote: > > > > > > > > This is an error I'm trying to do some research on, > maybe > > > someone can > > > > shed some light on it. There are thousands of > legitimate > > > sites that > > > > have this problem, either because they don't use an > > alt-name, > > > or the > > > > certificate is being used on some other subdomain of > > their domain. > > > > > > > > In the case where one certificate is being used by > another > > > host within > > > > the domain that it was legitimately issued for, I'm not > > > entirely sure > > > > what the threat model is. Sure, this is a great way for > CAs > > > to make > > > > money (by either making a site buy a new certificate for > > every > > > host or > > > > making them buy a wildcard cert), but beyond this, > > what's the need > > > > to warn? > > > > > > > > Yes, the DNS can be hacked to add in a new hostname, but > at > > > that point > > > > there are bigger problems. > > > > > > > > serge > > > > > > > > Ian Fette wrote: > > > > > bankofamerica.com <http://bankofamerica.com> > > <http://bankofamerica.com> > > > < http://bankofamerica.com> < > > > > http://bankofamerica.com> does not use an alt-name. > > > > > What's the point? (And for those of us who aren't > > using IE7, I'm > > > > > assuming you just get a common name mismatch error, or > > > what?) if eBay > > > > > uses it, then I think you need to be worried about > > breaking it. > > > > > > > > > > On 10/11/07, *Close, Tyler J.* <tyler.close@hp.com > > <mailto:tyler.close@hp.com> > > > <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>> > > > > <mailto: tyler.close@hp.com <mailto:tyler.close@hp.com> > > <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>>> > > > > > <mailto: tyler.close@hp.com > > <mailto:tyler.close@hp.com> <mailto:tyler.close@hp.com > > <mailto:tyler.close@hp.com>> > > > <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com> > > <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>>>>> wrote: > > > > > > > > > > Perhaps there's some way to finesse this part of > the > > > algorithm by > > > > > reference to RFC 2818. I'll work on it. > > > > > > > > > > Many sites don't seem to be using this cert > > feature. For > > > a fun > > > > > example, visit the following URL using IE7. > > > > > > > > > > https://bankofamerica.com/ > > > > > > > > > > --Tyler > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > *From:* Ian Fette [mailto:ifette@google.com > > <mailto:ifette@google.com> > > > <mailto:ifette@google.com <mailto:ifette@google.com>> > > > > <mailto:ifette@google.com <mailto:ifette@google.com> > > <mailto:ifette@google.com <mailto:ifette@google.com>>> > > > > > <mailto:ifette@google.com > > <mailto:ifette@google.com> <mailto:ifette@google.com > > <mailto:ifette@google.com>> > > > <mailto: ifette@google.com <mailto:ifette@google.com> > > <mailto:ifette@google.com <mailto:ifette@google.com>>>>] > > > > > *Sent:* Thursday, October 11, 2007 12:48 PM > > > > > *To:* Close, Tyler J. > > > > > *Cc:* public-wsc-wg@w3.org > > <mailto:public-wsc-wg@w3.org> > > > <mailto:public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>> > > <mailto: public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org> > > > <mailto:public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>>> > > > > <mailto:public-wsc-wg@w3.org > > <mailto:public-wsc-wg@w3.org> <mailto: public-wsc-wg@w3.org > > <mailto:public-wsc-wg@w3.org>> > > > <mailto:public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org> > > <mailto:public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>>>> > > > > > *Subject:* Re: clarifications needed re safe > form > > > editor cert > > > > > matching algorithm > > > > > > > > > > It is in huge use. For example. if you go to > > > > > https://signin.ebay.com and look at the cert - > > the CN is > > > > > signin.ebay.com <http://signin.ebay.com> < > > http://signin.ebay.com> < > > > http://signin.ebay.com> > > > > <http://signin.ebay.com <http://signin.ebay.com>> but > > the certificate > > > > > subject alt name lists: > > > > > > > > > > Not Critical > > > > > DNS Name: signin.cafr.ebay.ca > > <http://signin.cafr.ebay.ca> > > > <http://signin.cafr.ebay.ca> <http://signin.cafr.ebay.ca> > > > > < http://signin.cafr.ebay.ca> > > > > > DNS Name: signin.ebay.ca > > <http://signin.ebay.ca> <http://signin.ebay.ca> > > > < http://signin.ebay.ca> > > > > < http://signin.ebay.ca> > > > > > DNS Name: signin.ebay.com.au > > <http://signin.ebay.com.au> > > > <http://signin.ebay.com.au> <http://signin.ebay.com.au> > > > > < http://signin.ebay.com.au <http://signin.ebay.com.au> > > <http://signin.ebay.com.au>> > > > > > DNS Name: signin.ebay.com.cn > > <http://signin.ebay.com.cn> > > > < http://signin.ebay.com.cn> < http://signin.ebay.com.cn> > > > > <http://signin.ebay.com.cn> > > > > > DNS Name: signin.express.ebay.com > > <http://signin.express.ebay.com> > > > <http://signin.express.ebay.com> > > > > < http://signin.express.ebay.com> > > <http://signin.express.ebay.com> > > > > > DNS Name: signin.half.ebay.com > > <http://signin.half.ebay.com> > > > <http://signin.half.ebay.com> > > > > <http://signin.half.ebay.com> < > http://signin.half.ebay.com> > > > > > DNS Name: signin.liveauctions.ebay.com > > <http://signin.liveauctions.ebay.com> > > > < http://signin.liveauctions.ebay.com> > > > > <http://signin.liveauctions.ebay.com> > > > > > < http://signin.liveauctions.ebay.com > > > > <http://signin.liveauctions.ebay.com>> > > > > > DNS Name: signin.shopping.ebay.com > > <http://signin.shopping.ebay.com> > > > <http://signin.shopping.ebay.com> > > > > <http://signin.shopping.ebay.com > > <http://signin.shopping.ebay.com>> > > > <http://signin.shopping.ebay.com> > > > > > DNS Name: signin.tw.ebay.com > > <http://signin.tw.ebay.com> > > > < http://signin.tw.ebay.com> <http://signin.tw.ebay.com> > > > > <http://signin.tw.ebay.com <http://signin.tw.ebay.com>> > > > > > DNS Name: signin.ebay.com > > <http://signin.ebay.com> <http://signin.ebay.com> > > > < http://signin.ebay.com> > > > > <http://signin.ebay.com <http://signin.ebay.com> > > > < http://signin.ebay.com>> > > > > > > > > > > and if you go to https://signin.ebay.de you > again > > > get a cert > > > > > with CN= signin.ebay.com > > <http://signin.ebay.com> <http://signin.ebay.com> > > > <http://signin.ebay.com> < > > > > http://signin.ebay.com> but alt names of: > > > > > Not Critical > > > > > DNS Name: signin.befr.ebay.be > > <http://signin.befr.ebay.be> > > > <http://signin.befr.ebay.be> <http://signin.befr.ebay.be> > > > > < http://signin.befr.ebay.be <http://signin.befr.ebay.be > >> > > > > > DNS Name: signin.benl.ebay.be > > <http://signin.benl.ebay.be> > > > < http://signin.benl.ebay.be> <http://signin.benl.ebay.be> > > > > <http://signin.benl.ebay.be <http://signin.benl.ebay.be > >> > > > > > DNS Name: signin.ebay.at > > <http://signin.ebay.at> <http://signin.ebay.at> > > > <http://signin.ebay.at <http://signin.ebay.at>> > > > > <http://signin.ebay.at> > > > > > DNS Name: signin.ebay.be > > <http://signin.ebay.be> < http://signin.ebay.be> > > > <http://signin.ebay.be> > > > > <http://signin.ebay.be > > > > > > DNS Name: signin.ebay.co.uk > > <http://signin.ebay.co.uk> > > > <http://signin.ebay.co.uk> <http://signin.ebay.co.uk> > > > > < http://signin.ebay.co.uk> > > > > > DNS Name: signin.ebay.de > > <http://signin.ebay.de> <http://signin.ebay.de > > > > <http://signin.ebay.de> > > > > <http://signin.ebay.de> > > > > > DNS Name: signin.ebay.es > > <http://signin.ebay.es> <http://signin.ebay.es> > > > <http://signin.ebay.es> > > > > <http://signin.ebay.es <http://signin.ebay.es>> > > > > > DNS Name: signin.ebay.fr > > <http://signin.ebay.fr> <http://signin.ebay.fr> > > > <http://signin.ebay.fr <http://signin.ebay.fr>> > > > > <http://signin.ebay.fr> > > > > > DNS Name: signin.ebay.ie > > <http://signin.ebay.ie> < http://signin.ebay.ie> > > > <http://signin.ebay.ie> < > > > > http://signin.ebay.ie> > > > > > DNS Name: signin.ebay.nl > > <http://signin.ebay.nl> <http://signin.ebay.nl> > > > <http://signin.ebay.nl> > > > > < http://signin.ebay.nl> > > > > > DNS Name: signin.express.ebay.co.uk > > <http://signin.express.ebay.co.uk> > > > <http://signin.express.ebay.co.uk > > <http://signin.express.ebay.co.uk>> > > > > <http://signin.express.ebay.co.uk> > > > > > <http://signin.express.ebay.co.uk > > <http://signin.express.ebay.co.uk> > > > <http://signin.express.ebay.co.uk>> > > > > > DNS Name: signin.ebay.com > > <http://signin.ebay.com> < http://signin.ebay.com> > > > <http://signin.ebay.com> < > > > > http://signin.ebay.com < http://signin.ebay.com>> > > > > > > > > > > > > > > > So yeah, it's important. > > > > > On 10/11/07, *Close, Tyler J.* < > > tyler.close@hp.com <mailto:tyler.close@hp.com> > > > <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>> > > > > <mailto: tyler.close@hp.com <mailto:tyler.close@hp.com> > > <mailto: tyler.close@hp.com <mailto:tyler.close@hp.com>>> > > > > > <mailto: tyler.close@hp.com > > <mailto:tyler.close@hp.com> > > > <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>> > > <mailto: tyler.close@hp.com <mailto:tyler.close@hp.com> > > > <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>>>>> > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > Thomas Roessler wrote: > > > > > > going through the matching algorithm > while > > > folding > > > > it in... > > > > > > > > > > > > - The current language confuses > > attributes and > > > > fields. I > > > > > suspect > > > > > > that you mean the various attributes > > of the > > > Subject > > > > > certificate > > > > > > field. Please confirm. > > > > > > > > > > The CN, O, L, ST and C values I refer to > > are the > > > ones > > > > in the set > > > > > referred to by the Subject field in the > > end entity > > > > > certificate. Not sure > > > > > how to be any more specific about this in > > PKIXese. > > > > > > > > > > > - I notice that you have some rules that > > concern > > > > matching > > > > > the CN > > > > > > attribute, but none concerning > > > > subjectAltName. I'm happy to > > > > > > simply track this point as an issue. > > > > > > > > > > Could you point me to a document covering > the > > > semantics of > > > > > subjectAltName? Is it in use in X.509certs on > > > the Web? > > > > > > > > > > > Also, I'll open an issue to track the > "PKI > > > orthodoxy" > > > > > remarks that > > > > > > Hal had made at the face-to-face, and > will > > > link to that > > > > > issue from > > > > > > the draft. > > > > > > > > > > Thanks, > > > > > --Tyler > > > > > > > > > > > > > > > > > > > > > > > -- > > > > /* > > > > Serge Egelman > > > > > > > > PhD Candidate > > > > Vice President for External Affairs, Graduate Student > > Assembly > > > > Carnegie Mellon University > > > > > > > > Legislative Concerns Chair > > > > National Association of Graduate-Professional Students > > > > */ > > > > > > > > > > > > > > -- > > > /* > > > Serge Egelman > > > > > > PhD Candidate > > > Vice President for External Affairs, Graduate Student Assembly > > > Carnegie Mellon University > > > > > > Legislative Concerns Chair > > > National Association of Graduate-Professional Students > > > */ > > > > > > > > > > -- > > /* > > Serge Egelman > > > > PhD Candidate > > Vice President for External Affairs, Graduate Student Assembly > > Carnegie Mellon University > > > > Legislative Concerns Chair > > National Association of Graduate-Professional Students > > */ > > > > > > -- > /* > Serge Egelman > > PhD Candidate > Vice President for External Affairs, Graduate Student Assembly > Carnegie Mellon University > > Legislative Concerns Chair > National Association of Graduate-Professional Students > */ >
Received on Friday, 12 October 2007 00:47:56 UTC