Re: [Jmap] JMAP security
Alexey Melnikov <alexey.melnikov@isode.com> Thu, 09 February 2017 16:45 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: jmap@ietfa.amsl.com
Delivered-To: jmap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3885129B77 for <jmap@ietfa.amsl.com>; Thu, 9 Feb 2017 08:45:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bovZ2MkRFnr5 for <jmap@ietfa.amsl.com>; Thu, 9 Feb 2017 08:45:20 -0800 (PST)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id D438C129421 for <jmap@ietf.org>; Thu, 9 Feb 2017 08:45:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1486658719; d=isode.com; s=june2016; i=@isode.com; bh=fGTmqu8bRXrWm/PEKGJJY1WxlEtz50xVniyf45xymp4=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=Qtb2vHSeOAuELzJ6AMw/2wi5B2R2qN7ugSG0IQy/2lfNADAySFOYPEorLp8Rs+BkQIdzq9 idIEjaegzofhIKOpO8HiIdEVcSbeEP+6rwwAZFTA1j9J3SkrJdmLApkM3uA+rsZl+rpE4/ j/zhrAiJ6n2+lwKOQuJDXjkJfk+WPCM=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <WJycngA6w3YJ@waldorf.isode.com>; Thu, 9 Feb 2017 16:45:18 +0000
To: Дмитрий Подкорытов <podkorytov@mail.ru>, Yoav Nir <ynir.ietf@gmail.com>
References: <yw8pj50om7igw8xwxd2fon4q.1486574928465@email.android.com> <4ABF6702-BFC7-4530-95FD-C61C06F2E6AB@gmail.com> <1486658028.81835495@f105.i.mail.ru>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <fa8990fd-a17b-a3ae-b251-6d97431c74b6@isode.com>
Date: Thu, 09 Feb 2017 16:44:57 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
In-Reply-To: <1486658028.81835495@f105.i.mail.ru>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------095397E0D3243FB21725746C"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jmap/DuURdZgq0Ki3MUapIVFdT4CPcyA>
Cc: jmap@ietf.org
Subject: Re: [Jmap] JMAP security
X-BeenThere: jmap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: JSON Message Access Protocol <jmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jmap>, <mailto:jmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jmap/>
List-Post: <mailto:jmap@ietf.org>
List-Help: <mailto:jmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jmap>, <mailto:jmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 16:45:21 -0000
Hi Дмитрий, On 09/02/2017 16:33, Дмитрий Подкорытов wrote: > Hello, Yoav. > > Четверг, 9 февраля 2017, 0:01 +05:00 от Yoav Nir > <ynir.ietf@gmail.com>: > > > On 8 Feb 2017, at 19:28, podkorytov <podkorytov@mail.ru > <mailto:podkorytov@mail.ru>> wrote: > >> Any browser plugins such as Adobe's or something else may be >> potencial hole and targets for attacks. >> > Since we do expect browser use, that is definitely something to > consider. Preventing plug-ins and scripts running in other tabs > from sending requests on behalf of the user should certainly be a > goal for the protocol. There are some ways of doing that: > authenticating each HTTP request with something better than > session cookies, making the resource names unpredictable, etc. > That is definitely part of the design. >> >> Probably it question out of frames of protocol draft , but it >> practical thing ang may to influence on JMAP success or fail. It >> will works inside browser with many others web applications and >> plug-ins >> > Security considerations are part of every IETF document and > discussion of security vulnerabilities within the operating > environment are very much in scope. > > > Stateless protocols sometimes may be on MITM attack, somebody is able > to catch TCP packet from JMAP client and repeat it many times. > All needed for authorization already inside this single packet, right ? > Destination in this case will be under DoS attack. What is planning in > JMAP for preventing such things ? > Maybe random field in JSON structure or time stamp with high precision? JMAP should be running over HTTPS, which should make it much more difficult. Best Regards, Alexey
- [Jmap] JMAP security podkorytov
- Re: [Jmap] JMAP security Yoav Nir
- Re: [Jmap] JMAP security Дмитрий Подкорытов
- Re: [Jmap] JMAP security Alexey Melnikov
- Re: [Jmap] JMAP security Yoav Nir
- Re: [Jmap] JMAP security Arnt Gulbrandsen