[cabfpub] FW: [cabfquest] Ballot 114 - Security concerns on verifying "ownership" of .onion domain names

[Ryan Sleevi]

Adrien,

I have started a separate thread to clarify your status, but unfortunately
must omit your reply.

Your scenarios - both in this message in your previous - fail to
demonstrate .onion as less secure. Indeed, if you evaluate them with a
critical eye to the threat model, you will find rather quite the opposite -
that it demonstrates .onion names possess stronger, technical security
controls than those based on global DNS.

Now, I have already addressed in my previous message the threats that exist
when using the global DNS. We can and must presume that an attacker who can
factor a key or perform a collision attack on SHA-1 is, at best,
demonstrating control over the DNS.

Rather than reply with a similarly longly worded message, I will try to
distill to bullet points the flaws, in the hope they stand on their own.

- You presume Certificate Transparency for the DNS names. This is not true
for the Forum at large, and not true for Chrome at DV. Thus, anyone who
gains control over DNS, even temporarily, can create certificates that are
undetectable to the legitimate holder, and thus irrevocable (largely).
- Likewise, any certificate ever issued in the past, prior to you assuming
control of that DNS domain, remains a threat.
- You nation state attacker performing factoring is equally capable of
directing traffic (such as DNS lookups) to then, but factoring
unquestionably requires more work (MITM+factoring > MITM)
- Again, we see temporary and sustained DNS takeovers on a daily basis.
- Your scenario of traffic manipulation is precisely why certificates (and
features such as HSTS) are useful for .onion names. You are *increasing*
the effective security from simply being name bases (... much like HTTP) to
being end to end.
- Your threat model fails to consider or evaluate the protections built in
to the ballot itself (such as requiring EV, rather than DV), yet you
describe the attacks presuming a DV level.
- You make an assertion that an SSL cert is an indicator that the site is
secure and well-behaved. I'm sorry, that is patently false and misleading,
and while some CAs may continue to market it as such, it is not and was not
true. While the Forum cannot restrict its members from making misleading
statements, I can only fervently state that no, it is NOT a promise of
anything more than a name binding.
- Your so called nuclear option is _already_ supported by the present
ballot, with no changes required.

Overall, I hope you will find that, in every meaningful way that matters, a
factoring of a .onion name is no different than the far more common DNS
hijacking. Further, the structure of the ballot and the certificate provide
many more meaningful controls than exist for DNS-based certificates, on a
real and technical level, rather than just policy.

While I certainly do not intend to sound dismissive, I do think you will
find that as you apply your threat model, you will find we discussed these
rather comprehensively already. While our minutes of our teleconferences
often fail to capture much of the technical meat of discussion, between the
list discussions and what should hopefully be an obvious security model,
these issues were indeed considered and addressed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150302/636afc3e/attachment-0003.html>