ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [secdir] secdir review of draft-saintandre-tls-server-id-check-09

2010-09-22 13:19:18
from [Peter Saint-Andre] [Permanent Link] 
On 9/22/10 12:14 PM, Jeffrey Hutzelman wrote:

--On Wednesday, September 22, 2010 12:34:50 PM -0400 Barry Leiba
<barryleiba(_dot_)mailing(_dot_)lists(_at_)gmail(_dot_)com> wrote:


There's a distinction, here, between a protocol and a user interface
for configuration.  My mother doesn't know whom to trust, except that
she knows that she (at least kinda-sorta) trusts the mail program
she's decided to use, and an entity she calls "gmail" (not
"google.com", not "gmail.com", but just "gmail").  She's relying to
the mail program's "easy configuration feature" to sort this out.

The text I reviewed appeared to be saying normative things about what
client software MUST and MUST NOT do with regard to this sort of
configuration situation, which goes well beyond what the client
software is doing on the wire.  Unless I'm mis-reading it, it's
explicitly saying that my client software is not allowed to do
something like this, for example:
1. Ask the user, "What email service do you use?"
2. Receive the answer "gmail" from the user.
3. Auto-configure itself for the known gmail servers based only on
that user input.


I think that's reasonable behavior _if_ the mail client knows that
"gmail" is "mail.google.com".  What's _not_ reasonable is for it to
arbitrarily transform "gmail" into a domain by adding ".com", then look
up "gmail.com" and see that it is an alias for "mail.google.com" and not
only follow the (insecure) alias to mail.google.com but also use it to
decide that "mail.google.com" is an appropriate name to find in a
certificate.

If your mother's mail client does that, then all I have to do to steal
her password is convince said client that "gmail.com" is actually an
alias for "stealgmailpassword.attacker.org".


In my experience, some user agents have interface elements such as a
drop-down box that lists popular service providers, and the account
configuration wizard behaves differently (e.g., asks for different
information) depending on which popular service provider the user chooses.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [secdir] secdir review of draft-saintandre-tls-server-id-check-09, Jeffrey Hutzelman
Next by Date:  Re: Nomcom 2010-2011: READ THIS: Important Information on Open Disclosure, John C Klensin
Previous by Thread:  Re: [secdir] secdir review of draft-saintandre-tls-server-id-check-09, Jeffrey Hutzelman
Next by Thread:  Re: [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09, ArkanoiD
Indexes:  [Date] [Thread] [Top] [All Lists]