IETF Logo Mail Archive

Re: [Jmap] JMAP security

Дмитрий Подкорытов <podkorytov@mail.ru> Thu, 09 February 2017 16:33 UTC

Return-Path: <podkorytov@mail.ru>
X-Original-To: jmap@ietfa.amsl.com
Delivered-To: jmap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B847129BBD for <jmap@ietfa.amsl.com>; Thu, 9 Feb 2017 08:33:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mail.ru
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNjDa8Yd2zmL for <jmap@ietfa.amsl.com>; Thu, 9 Feb 2017 08:33:51 -0800 (PST)
Received: from f105.i.mail.ru (f105.i.mail.ru [94.100.178.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47C5F129BB1 for <jmap@ietf.org>; Thu, 9 Feb 2017 08:33:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail2; h=References:In-Reply-To:Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:Cc:To:From; bh=s9a99Mc1TN10vPHB8T1cBqRCKYAM30kO3JJEhKqo1+E=; b=puNDZPoLC5+8MC5vwXbQHIkVDbIMXPdbALRhbD+Qtow2YhO7hDETIKREb6/dWlucddLuDlpj2/PzPEXFP91JquhQ37apohsKNGLtOmEwUYj6GjxguI6/3oKU28MCsO4G8jwdUzt5xgp9QxcRvIqeix4m8gI7jfUdJyq1l8VA/3o=;
Received: from [85.233.150.58] (ident=mail) by f105.i.mail.ru with local (envelope-from <podkorytov@mail.ru>) id 1cbrfI-0006a8-2g; Thu, 09 Feb 2017 19:33:48 +0300
Received: from [85.233.150.58] by e.mail.ru with HTTP; Thu, 09 Feb 2017 19:33:48 +0300
From: Дмитрий Подкорытов <podkorytov@mail.ru>
To: Yoav Nir <ynir.ietf@gmail.com>
MIME-Version: 1.0
X-Mailer: Mail.Ru Mailer 1.0
Date: Thu, 09 Feb 2017 19:33:48 +0300
X-Priority: 3 (Normal)
Message-ID: <1486658028.81835495@f105.i.mail.ru>
Content-Type: multipart/alternative; boundary="--ALT--bF7beVup5mC6TtbgiRrOsj8oOIVLvtnn1486658028"
Authentication-Results: f105.i.mail.ru; auth=pass smtp.auth=podkorytov@mail.ru smtp.mailfrom=podkorytov@mail.ru
X-E1FCDC63: 91BC95D06DB20CF7134CEEF3156B42B74C6784DEA8096F07
X-E1FCDC64: 14EA137241501AD66E2D44ACC8086B5E8F0BFC4104A0E32C798653E96080BF19
X-Mailru-Sender: D41D38B29617681108C6F16C124CCB60C6496B83B5065A6C00CB9CEA573BBBF532ECDF61101237DF660823B2EEFD31DC
X-Mras: OK
X-Spam: undefined
In-Reply-To: <4ABF6702-BFC7-4530-95FD-C61C06F2E6AB@gmail.com>
References: <yw8pj50om7igw8xwxd2fon4q.1486574928465@email.android.com> <4ABF6702-BFC7-4530-95FD-C61C06F2E6AB@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jmap/SS6yUpNjz1vi_4nguVndRgsI_rY>
Cc: jmap@ietf.org
Subject: Re: [Jmap] JMAP security
X-BeenThere: jmap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Дмитрий Подкорытов <podkorytov@mail.ru>
List-Id: JSON Message Access Protocol <jmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jmap>, <mailto:jmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jmap/>
List-Post: <mailto:jmap@ietf.org>
List-Help: <mailto:jmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jmap>, <mailto:jmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 16:33:54 -0000

Hello, Yoav.

>Четверг,  9 февраля 2017, 0:01 +05:00 от Yoav Nir <ynir.ietf@gmail.com>:
>
>
>On 8 Feb 2017, at 19:28, podkorytov < podkorytov@mail.ru > wrote:
>>Hello, what about JMAP client security ? 
>>If it will works inside web browser it can inherit it vulneriabilities and join own, 
>JMAP is (will be?) a protocol. It can be implemented in Javascript in a browser; it can be implemented as part of a desktop or mobile MUA; it can be implemented as a library for use by servers that send email.
Right, client for JMAP can be designed in  different styles, but for working over HTTP 
,to be frank,  is more easy to get something like browser or well known HTTP libs and remove useless code from it.
  O therwise , writing communicating by HTTP/HTTPS from ground level may be more difficult , than writing from zero level IMAP or POP3 client.

>>Any browser plugins such as Adobe's or something else may be potencial hole and targets for attacks. 
>Since we do expect browser use, that is definitely something to consider.  Preventing plug-ins and scripts running in other tabs from sending requests on behalf of the user should certainly be a goal for the protocol.  There are some ways of doing that: authenticating each HTTP request with something better than session cookies, making the resource names unpredictable, etc. That is definitely part of the design.
>>Probably it question out of frames of protocol draft , but it practical thing ang may to influence on JMAP success or fail. It will works inside browser with many others web applications and plug-ins
>Security considerations are part of every IETF document and discussion of security vulnerabilities within the operating environment are very much in scope.
Stateless protocols sometimes may be on MITM attack, somebody is able to catch TCP packet from JMAP client and repeat it many times. 
All needed for authorization already inside this single packet, right ?
Destination in this case will be under DoS attack. What is planning in JMAP for preventing such things ?
Maybe random field in JSON structure or time stamp with high precision?

>
>Yoav
>
>_______________________________________________
>Jmap mailing list
>Jmap@ietf.org
>https://www.ietf.org/mailman/listinfo/jmap


Dmitrii Podkorytov

v2.23.0 | Report a Bug | By Email