Tuesday, June 20, 2006

I was at the TIPPI workshop yersterday and proposed that we need a common threat model to evaluate proposals. Throughout the meeting someone would present a paper where 80% of the work and 95% of the interest was in area A and would then be asked about problem B.

Presenter shows plugin designed to explore the user interface issues:

"What about key loggers", "what about a man in the middle attack", "no the real problem is the authentication credentials", "the phishing criminals will just go into selling plots of land in the Florida", and so on.

In effect every single presenter was being evaluated on their ability to address the entire problem of Internet crime and to describe the solution in 30 minutes. That is not the way to go forward. We need to have a way for people to say what the problem they are going to solve. The place where we have the biggest gaps in our knowledge are in the dynamics of the human interaction. If someone is presenting a paper on their antiphishing toolbar I don't care that much about the security of their protocol, not unless we are considering global deployment of the toolbar in that exact form. We know how to do protocols, we can fix that. Its the human interaction I am worried about.

There are several problems here, when we are talking about digest algorithms we have an established vocabulary of terms, SHA-1 is not broken, it is subject to a compression collision attack but is still secure against the second pre-image attack. So when we are talking about S/MIME we say, no the SHA-1attacks do not compromise the use in that protocol but they are a sign we should start the transition process.

What we need is a simple taxonomy of four or five terms (5 = 7-2) that we can use to refer to the various attacks. When we are holding discussions in a public forum we should only attempt to address one or at most two of those terms in this group at once. Everything else should be out of scope.

When we bring the parts together we have to address all parts of the problem at the same time. But expecting everyone to be an expert in everything is simply not productive.

Strawman proposal:

Platform Layer Attacks

Keyboard loggers, mouse click and screen capture trojans are all serious security issues.

Building platforms resistant to those attacks are the sole responsibility of the O/S providers - Microsoft, Linux, Apple, Sun, Palm, &ct. It makes no sense for a standards working group to attempt to solve those problems. Preventing the circulation of malware is going to be the responsibility of the ISPs hosting the bots.

Network Layer Attacks

We have several people in the group who are cryptographers and/or network security protocol designers. There is a place to discuss that work, this is not it. There is no shortage of forums that are developing authentication &ct. protocols.

Trust Infrastructure Attacks

If we are going to stop phishing we are going to need a means of making sure that the site representing itself as Contoso bank on the net reall is the same corporation as the place where you opened the account abd handed over the check. This infrastructure is necessary, complex and I am currently sitting in the CA-Browser forum where we are discussing that exact problem.

User Interaction Attacks

How does the browser communicate the security context to the user?

Chrome Attacks.

How does the browser ensure that the trusted path used to communicate the security context is trustworthy?

No comments: