Re: Symptoms vs. Causes (was next step on web phishing draft)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Michael Dillon said:

> "Personally, I would like to see some more criticism of the fact that
> this draft is about Phishing, a symptom of security problems, rather
> than about strengthening a weakness in Internet security. It is entirely
> possible to "solve" the phishing problem without strengthening the
> network, and possibly even introducing new weaknesses. Being too focused
> on one symptom is not a good way to approach security. Indeed, it is
> entirely possible that the solution to phishing lies with the banking
> system, not with the Internet or IETF."

Phishing is not a problem only for the banking industry. We have 
discovered phishing websites on the Internet designed to mimic
web authentication systems deployed at my University, obviously
designed to steal our passwords.

I certainly agree with attacking the cause rather than symptom. But a
portion of Sam Hartman's draft is in fact dealing with a cause of the
symptom. Namely the part that is trying to protect user credentials
from disclosure to an unauthorized party -- by proposing to eliminate
the near ubiquitous phenomenon of sending passwords over TLS to an 
application server. And using proper cryptographic authentication 
techniques that don't transmit long-lived passwords or keys over the 
network period. It's about time the IETF stood up and said that.

And yes, I agree that a new properly designed version of HTTP Digest 
authentication might be one way to help. As well as the various zero
knowledge protocols.

Bernard Aboba said:

> So we need to think carefully about distinguishing symptoms from 
> underlying causes.  If we just focus on symptoms, we will be 
> playing a game of Wack-a-mole.  For example, the document states that 
> anti-phishing measures MUST support passwords, yet with the increasing 
> prevalance of key stroke logging malware, it is not clear to me that 
> merely avoiding the sending of cleartext passwords over the wire is 
> enough. 

We can have a discussion about whether long lived human memorizable
passwords have a future. But we have to deal with the reality today.
I suppose that some time in the distant future we might all be using
public key authentication, carrying around our PKI credentials on
smart cards, mechanisms to interface those cards to endsystems are
commonplace, systems and federations of PKIs are ubiquitous, proper
certificate revocation infrastructure is in place etc etc .. But we
are very far from that world.

If passwords altogether are eliminated, then I presume malware will
just evolve to deal with it. So the whack-a-mole game will continue 
as usual. Users could be tricked into installing a trojan horse that
captured their private key or logged the passphrase that they typed 
to unlock it. Should we be recommending non-reusable passwords or
smartcards/tokens everywhere?

At some level, you have to trust the software on your endstation.
Even if you've protected your authentication credentials, not 
trusting endstation software means that you may not be able to 
conduct any private or sensitive tasks on it. I don't think this 
problem can be solved until we have radically more secure designs 
in both operating systems and applications. Even that may not be 
enough.

--Shumon.

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]