Re: clarifications needed re safe form editor cert matching algorithm

Has some level of control, yes. But that doesn't address the second case,
where ifette.googlepages.com is a phishing site, and I don't want Google's
cert being used there...

-Ian

On 10/11/07, Serge Egelman <egelman@cs.cmu.edu> wrote:
>
> That's not what I said.  ianfette.googlepages.com is still under the
> googlepages.com domain.  The person who controls the googlepages.com
> domain still has control over the other subdomains.
>
> serge
>
> Ian Fette wrote:
> > Not really... you have absolutely no way of knowing that
> > ianfette.googlepages.com <http://ianfette.googlepages.com> is on the
> > same server as googlepages.com <http://googlepages.com>. Given our
> > architecture, I have no idea. It's a server we own, but it's not
> > necessarily one of the googlepages.com <http://googlepages.com> servers.
> >
> > Also though, let's say that you have a phishing site at
> > https://ifette.googlepages.com - I don't really know that I want a lock
> > being displayed there, or whatever security indicators we display, based
> > on Google's certificate. Right now most free web hosts aren't giving
> > users SSL (that I know of), and this would be an easy way for an
> > attacker to get free SSL with a pretty good cert. Not really ideal, and
> > could even make us more of a target. Who knows, rampant speculation past
> > this point...
> >
> > -Ian
> >
> > On 10/11/07, *Serge Egelman* <egelman@cs.cmu.edu
> > <mailto:egelman@cs.cmu.edu>> wrote:
> >
> >     ...and in that case it's still accurate.
> >
> >     serge
> >
> >     Ian Fette wrote:
> >     > Well, it's still an attestation to some level. It's not an
> attestation
> >     > that you're talking with Google, but it is an attestation that
> you're
> >     > talking with google.com <http://google.com> <http://google.com>.
> >     But beyond that I have no
> >     > good answer.
> >     >
> >     > On 10/11/07, *Serge Egelman* < egelman@cs.cmu.edu
> >     <mailto:egelman@cs.cmu.edu>
> >     > <mailto:egelman@cs.cmu.edu <mailto:egelman@cs.cmu.edu>>> wrote:
> >     >
> >     >     Point taken.
> >     >
> >     >     But what about certificates that are not attestations?   E.g.,
> >     anything
> >     >     non-EV?
> >     >
> >     >     serge
> >     >
> >     >     Ian Fette wrote:
> >     >     > The need to warn comes in around something like
> >     googlepages.com <http://googlepages.com>
> >     >     < http://googlepages.com>
> >     >     > <http://googlepages.com>. Right now, the management is all
> under
> >     >     > pages.google.com <http://pages.google.com>
> >     <http://pages.google.com> <
> >     >     http://pages.google.com> and we use a SSL cert for
> >     >     > google.com <http://google.com> <http://google.com>
> >     <http://google.com> for login etc.
> >     >     But it is conceivable that
> >     >     > at some point we might actually want to SSL enable
> >     >     > https://www.googlepages.com for login, or who knows what.
> >     (This is
> >     >     wild
> >     >     > speculation, I don't work on the project, this is just an
> >     example). So
> >     >     > we would then need a cert for googlepages.com
> >     <http://googlepages.com>
> >     >     <http://googlepages.com> <http://googlepages.com
> >     <http://googlepages.com>>.
> >     >     > But user content is located at username.googlepages.com
> >     <http://username.googlepages.com>
> >     >     <http://username.googlepages.com >
> >     >     > <http://username.googlepages.com>, and we really don't want
> to
> >     >     attest to
> >     >     > anything about the identity of whatever is found at those
> >     >     locations. So
> >     >     > when you try to load https://ifette.googlepages.com under
> this
> >     >     scenario
> >     >     > (where googlepages.com <http://googlepages.com>
> >     <http://googlepages.com> <
> >     >     http://googlepages.com> is actually ssl enabled
> >     >     > and serving up something), you had better get a warning.
> >     >     >
> >     >     > Subdomains are not *always* controlled (or rather, authored
> >     / attested
> >     >     > to) by the owner of the higher-level domain, and it's not
> >     always a
> >     >     safe
> >     >     > assumption to make. You can make arguments about www being a
> >     special
> >     >     > case, but beyond that...
> >     >     >
> >     >     > -Ian
> >     >     >
> >     >     > On 10/11/07, *Serge Egelman* <egelman@cs.cmu.edu
> >     <mailto:egelman@cs.cmu.edu>
> >     >     <mailto: egelman@cs.cmu.edu <mailto:egelman@cs.cmu.edu>>
> >     >     > <mailto:egelman@cs.cmu.edu <mailto:egelman@cs.cmu.edu>
> >     <mailto:egelman@cs.cmu.edu <mailto:egelman@cs.cmu.edu>>>> wrote:
> >     >     >
> >     >     >     This is an error I'm trying to do some research on,
> maybe
> >     >     someone can
> >     >     >     shed some light on it.  There are thousands of
> legitimate
> >     >     sites that
> >     >     >     have this problem, either because they don't use an
> >     alt-name,
> >     >     or the
> >     >     >     certificate is being used on some other subdomain of
> >     their domain.
> >     >     >
> >     >     >     In the case where one certificate is being used by
> another
> >     >     host within
> >     >     >     the domain that it was legitimately issued for, I'm not
> >     >     entirely sure
> >     >     >     what the threat model is.  Sure, this is a great way for
> CAs
> >     >     to make
> >     >     >     money (by either making a site buy a new certificate for
> >     every
> >     >     host or
> >     >     >     making them buy a wildcard cert), but beyond this,
> >     what's the need
> >     >     >     to warn?
> >     >     >
> >     >     >     Yes, the DNS can be hacked to add in a new hostname, but
> at
> >     >     that point
> >     >     >     there are bigger problems.
> >     >     >
> >     >     >     serge
> >     >     >
> >     >     >     Ian Fette wrote:
> >     >     >     > bankofamerica.com <http://bankofamerica.com>
> >     <http://bankofamerica.com>
> >     >     < http://bankofamerica.com> <
> >     >     >     http://bankofamerica.com> does not use an alt-name.
> >     >     >     > What's the point? (And for those of us who aren't
> >     using IE7, I'm
> >     >     >     > assuming you just get a common name mismatch error, or
> >     >     what?) if eBay
> >     >     >     > uses it, then I think you need to be worried about
> >     breaking it.
> >     >     >     >
> >     >     >     > On 10/11/07, *Close, Tyler J.* <tyler.close@hp.com
> >     <mailto:tyler.close@hp.com>
> >     >     <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>>
> >     >     >     <mailto: tyler.close@hp.com <mailto:tyler.close@hp.com>
> >     <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>>>
> >     >     >     > <mailto: tyler.close@hp.com
> >     <mailto:tyler.close@hp.com> <mailto:tyler.close@hp.com
> >     <mailto:tyler.close@hp.com>>
> >     >     <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>
> >     <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>>>>> wrote:
> >     >     >     >
> >     >     >     >     Perhaps there's some way to finesse this part of
> the
> >     >     algorithm by
> >     >     >     >     reference to RFC 2818. I'll work on it.
> >     >     >     >
> >     >     >     >     Many sites don't seem to be using this cert
> >     feature. For
> >     >     a fun
> >     >     >     >     example, visit the following URL using IE7.
> >     >     >     >
> >     >     >     >     https://bankofamerica.com/
> >     >     >     >
> >     >     >     >     --Tyler
> >     >     >     >
> >     >     >     >
> >     >     >
> >     >
> >
> ------------------------------------------------------------------------
> >     >     >
> >     >     >     >         *From:* Ian Fette [mailto:ifette@google.com
> >     <mailto:ifette@google.com>
> >     >     <mailto:ifette@google.com <mailto:ifette@google.com>>
> >     >     >     <mailto:ifette@google.com <mailto:ifette@google.com>
> >     <mailto:ifette@google.com <mailto:ifette@google.com>>>
> >     >     >     >         <mailto:ifette@google.com
> >     <mailto:ifette@google.com> <mailto:ifette@google.com
> >     <mailto:ifette@google.com>>
> >     >     <mailto: ifette@google.com <mailto:ifette@google.com>
> >     <mailto:ifette@google.com <mailto:ifette@google.com>>>>]
> >     >     >     >         *Sent:* Thursday, October 11, 2007 12:48 PM
> >     >     >     >         *To:* Close, Tyler J.
> >     >     >     >         *Cc:* public-wsc-wg@w3.org
> >     <mailto:public-wsc-wg@w3.org>
> >     >     <mailto:public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>>
> >     <mailto: public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
> >     >     <mailto:public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>>>
> >     >     >     <mailto:public-wsc-wg@w3.org
> >     <mailto:public-wsc-wg@w3.org> <mailto: public-wsc-wg@w3.org
> >     <mailto:public-wsc-wg@w3.org>>
> >     >     <mailto:public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>
> >     <mailto:public-wsc-wg@w3.org <mailto:public-wsc-wg@w3.org>>>>
> >     >     >     >         *Subject:* Re: clarifications needed re safe
> form
> >     >     editor cert
> >     >     >     >         matching algorithm
> >     >     >     >
> >     >     >     >         It is in huge use. For example. if you go to
> >     >     >     >         https://signin.ebay.com and look at the cert -
> >     the CN is
> >     >     >     >         signin.ebay.com <http://signin.ebay.com> <
> >     http://signin.ebay.com> <
> >     >     http://signin.ebay.com>
> >     >     >     <http://signin.ebay.com <http://signin.ebay.com>> but
> >     the certificate
> >     >     >     >         subject alt name lists:
> >     >     >     >
> >     >     >     >         Not Critical
> >     >     >     >         DNS Name: signin.cafr.ebay.ca
> >     <http://signin.cafr.ebay.ca>
> >     >     <http://signin.cafr.ebay.ca> <http://signin.cafr.ebay.ca>
> >     >     >     < http://signin.cafr.ebay.ca>
> >     >     >     >         DNS Name: signin.ebay.ca
> >     <http://signin.ebay.ca> <http://signin.ebay.ca>
> >     >     < http://signin.ebay.ca>
> >     >     >     < http://signin.ebay.ca>
> >     >     >     >         DNS Name: signin.ebay.com.au
> >     <http://signin.ebay.com.au>
> >     >     <http://signin.ebay.com.au> <http://signin.ebay.com.au>
> >     >     >     < http://signin.ebay.com.au <http://signin.ebay.com.au>
> >     <http://signin.ebay.com.au>>
> >     >     >     >         DNS Name: signin.ebay.com.cn
> >     <http://signin.ebay.com.cn>
> >     >     < http://signin.ebay.com.cn> < http://signin.ebay.com.cn>
> >     >     >     <http://signin.ebay.com.cn>
> >     >     >     >         DNS Name: signin.express.ebay.com
> >     <http://signin.express.ebay.com>
> >     >     <http://signin.express.ebay.com>
> >     >     >     < http://signin.express.ebay.com>
> >     <http://signin.express.ebay.com>
> >     >     >     >         DNS Name: signin.half.ebay.com
> >     <http://signin.half.ebay.com>
> >     >     <http://signin.half.ebay.com>
> >     >     >     <http://signin.half.ebay.com> <
> http://signin.half.ebay.com>
> >     >     >     >         DNS Name: signin.liveauctions.ebay.com
> >     <http://signin.liveauctions.ebay.com>
> >     >     < http://signin.liveauctions.ebay.com>
> >     >     >     <http://signin.liveauctions.ebay.com>
> >     >     >     >         < http://signin.liveauctions.ebay.com
> >     >     >     <http://signin.liveauctions.ebay.com>>
> >     >     >     >         DNS Name: signin.shopping.ebay.com
> >     <http://signin.shopping.ebay.com>
> >     >     <http://signin.shopping.ebay.com>
> >     >     >     <http://signin.shopping.ebay.com
> >     <http://signin.shopping.ebay.com>>
> >     >     <http://signin.shopping.ebay.com>
> >     >     >     >         DNS Name: signin.tw.ebay.com
> >     <http://signin.tw.ebay.com>
> >     >     < http://signin.tw.ebay.com> <http://signin.tw.ebay.com>
> >     >     >     <http://signin.tw.ebay.com <http://signin.tw.ebay.com>>
> >     >     >     >         DNS Name: signin.ebay.com
> >     <http://signin.ebay.com> <http://signin.ebay.com>
> >     >     < http://signin.ebay.com>
> >     >     >     <http://signin.ebay.com <http://signin.ebay.com>
> >     >     < http://signin.ebay.com>>
> >     >     >     >
> >     >     >     >         and if you go to https://signin.ebay.de you
> again
> >     >     get a cert
> >     >     >     >         with CN= signin.ebay.com
> >     <http://signin.ebay.com> <http://signin.ebay.com>
> >     >     <http://signin.ebay.com> <
> >     >     >     http://signin.ebay.com> but alt names of:
> >     >     >     >         Not Critical
> >     >     >     >         DNS Name: signin.befr.ebay.be
> >     <http://signin.befr.ebay.be>
> >     >     <http://signin.befr.ebay.be> <http://signin.befr.ebay.be>
> >     >     >     < http://signin.befr.ebay.be <http://signin.befr.ebay.be
> >>
> >     >     >     >         DNS Name: signin.benl.ebay.be
> >     <http://signin.benl.ebay.be>
> >     >     < http://signin.benl.ebay.be> <http://signin.benl.ebay.be>
> >     >     >     <http://signin.benl.ebay.be <http://signin.benl.ebay.be
> >>
> >     >     >     >         DNS Name: signin.ebay.at
> >     <http://signin.ebay.at> <http://signin.ebay.at>
> >     >     <http://signin.ebay.at <http://signin.ebay.at>>
> >     >     >     <http://signin.ebay.at>
> >     >     >     >         DNS Name: signin.ebay.be
> >     <http://signin.ebay.be> < http://signin.ebay.be>
> >     >     <http://signin.ebay.be>
> >     >     >     <http://signin.ebay.be >
> >     >     >     >         DNS Name: signin.ebay.co.uk
> >     <http://signin.ebay.co.uk>
> >     >     <http://signin.ebay.co.uk> <http://signin.ebay.co.uk>
> >     >     >     < http://signin.ebay.co.uk>
> >     >     >     >         DNS Name: signin.ebay.de
> >     <http://signin.ebay.de> <http://signin.ebay.de >
> >     >     <http://signin.ebay.de>
> >     >     >     <http://signin.ebay.de>
> >     >     >     >         DNS Name: signin.ebay.es
> >     <http://signin.ebay.es> <http://signin.ebay.es>
> >     >     <http://signin.ebay.es>
> >     >     >     <http://signin.ebay.es <http://signin.ebay.es>>
> >     >     >     >         DNS Name: signin.ebay.fr
> >     <http://signin.ebay.fr> <http://signin.ebay.fr>
> >     >     <http://signin.ebay.fr <http://signin.ebay.fr>>
> >     >     >     <http://signin.ebay.fr>
> >     >     >     >         DNS Name: signin.ebay.ie
> >     <http://signin.ebay.ie> < http://signin.ebay.ie>
> >     >     <http://signin.ebay.ie> <
> >     >     >     http://signin.ebay.ie>
> >     >     >     >         DNS Name: signin.ebay.nl
> >     <http://signin.ebay.nl> <http://signin.ebay.nl>
> >     >     <http://signin.ebay.nl>
> >     >     >     < http://signin.ebay.nl>
> >     >     >     >         DNS Name: signin.express.ebay.co.uk
> >     <http://signin.express.ebay.co.uk>
> >     >     <http://signin.express.ebay.co.uk
> >     <http://signin.express.ebay.co.uk>>
> >     >     >     <http://signin.express.ebay.co.uk>
> >     >     >     >         <http://signin.express.ebay.co.uk
> >     <http://signin.express.ebay.co.uk>
> >     >     <http://signin.express.ebay.co.uk>>
> >     >     >     >         DNS Name: signin.ebay.com
> >     <http://signin.ebay.com> < http://signin.ebay.com>
> >     >     <http://signin.ebay.com> <
> >     >     >     http://signin.ebay.com < http://signin.ebay.com>>
> >     >     >     >
> >     >     >     >
> >     >     >     >         So yeah, it's important.
> >     >     >     >         On 10/11/07, *Close, Tyler J.* <
> >     tyler.close@hp.com <mailto:tyler.close@hp.com>
> >     >     <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>>
> >     >     >     <mailto: tyler.close@hp.com <mailto:tyler.close@hp.com>
> >     <mailto: tyler.close@hp.com <mailto:tyler.close@hp.com>>>
> >     >     >     >         <mailto: tyler.close@hp.com
> >     <mailto:tyler.close@hp.com>
> >     >     <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>>
> >     <mailto: tyler.close@hp.com <mailto:tyler.close@hp.com>
> >     >     <mailto:tyler.close@hp.com <mailto:tyler.close@hp.com>>>>>
> >     >     >     wrote:
> >     >     >     >
> >     >     >     >
> >     >     >     >
> >     >     >     >
> >     >     >     >             Thomas Roessler wrote:
> >     >     >     >             > going through the matching algorithm
> while
> >     >     folding
> >     >     >     it in...
> >     >     >     >             >
> >     >     >     >             > - The current language confuses
> >     attributes and
> >     >     >     fields.  I
> >     >     >     >             suspect
> >     >     >     >             >   that you mean the various attributes
> >     of the
> >     >     Subject
> >     >     >     >             certificate
> >     >     >     >             >   field.  Please confirm.
> >     >     >     >
> >     >     >     >             The CN, O, L, ST and C values I refer to
> >     are the
> >     >     ones
> >     >     >     in the set
> >     >     >     >             referred to by the Subject field in the
> >     end entity
> >     >     >     >             certificate. Not sure
> >     >     >     >             how to be any more specific about this in
> >     PKIXese.
> >     >     >     >
> >     >     >     >             > - I notice that you have some rules that
> >     concern
> >     >     >     matching
> >     >     >     >             the CN
> >     >     >     >             >   attribute, but none concerning
> >     >     >     subjectAltName.  I'm happy to
> >     >     >     >             >   simply track this point as an issue.
> >     >     >     >
> >     >     >     >             Could you point me to a document covering
> the
> >     >     semantics of
> >     >     >     >             subjectAltName? Is it in use in X.509certs on
> >     >     the Web?
> >     >     >     >
> >     >     >     >             > Also, I'll open an issue to track the
> "PKI
> >     >     orthodoxy"
> >     >     >     >             remarks that
> >     >     >     >             > Hal had made at the face-to-face, and
> will
> >     >     link to that
> >     >     >     >             issue from
> >     >     >     >             > the draft.
> >     >     >     >
> >     >     >     >             Thanks,
> >     >     >     >             --Tyler
> >     >     >     >
> >     >     >     >
> >     >     >     >
> >     >     >
> >     >     >     --
> >     >     >     /*
> >     >     >     Serge Egelman
> >     >     >
> >     >     >     PhD Candidate
> >     >     >     Vice President for External Affairs, Graduate Student
> >     Assembly
> >     >     >     Carnegie Mellon University
> >     >     >
> >     >     >     Legislative Concerns Chair
> >     >     >     National Association of Graduate-Professional Students
> >     >     >     */
> >     >     >
> >     >     >
> >     >
> >     >     --
> >     >     /*
> >     >     Serge Egelman
> >     >
> >     >     PhD Candidate
> >     >     Vice President for External Affairs, Graduate Student Assembly
> >     >     Carnegie Mellon University
> >     >
> >     >     Legislative Concerns Chair
> >     >     National Association of Graduate-Professional Students
> >     >     */
> >     >
> >     >
> >
> >     --
> >     /*
> >     Serge Egelman
> >
> >     PhD Candidate
> >     Vice President for External Affairs, Graduate Student Assembly
> >     Carnegie Mellon University
> >
> >     Legislative Concerns Chair
> >     National Association of Graduate-Professional Students
> >     */
> >
> >
>
> --
> /*
> Serge Egelman
>
> PhD Candidate
> Vice President for External Affairs, Graduate Student Assembly
> Carnegie Mellon University
>
> Legislative Concerns Chair
> National Association of Graduate-Professional Students
> */
>

Received on Friday, 12 October 2007 00:47:56 UTC