Re: [Jmap] JMAP security
Yoav Nir <ynir.ietf@gmail.com> Thu, 09 February 2017 17:07 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: jmap@ietfa.amsl.com
Delivered-To: jmap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 447DE129C01 for <jmap@ietfa.amsl.com>; Thu, 9 Feb 2017 09:07:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I-Nn1Ai8Tq2d for <jmap@ietfa.amsl.com>; Thu, 9 Feb 2017 09:07:47 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7C06129C00 for <jmap@ietf.org>; Thu, 9 Feb 2017 09:07:46 -0800 (PST)
Received: by mail-wm0-x232.google.com with SMTP id v186so87595783wmd.0 for <jmap@ietf.org>; Thu, 09 Feb 2017 09:07:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=VvSRPIxxFzQ1bCyFMAHbaoYT+MxJ7/YN7WWpfnIKMk8=; b=BOOQUvr9QrFvbGsVPgGWTH9NsSu5DWbm1s50lTUDXsN6CLyNMt921fATKbioGusBpJ MLvIMCqLWwYILlIit0RMeLIWLGbRE0Q4RaIsqxMtd24XcHMuCy2TWkE3ds+8By34f2Ws X3Pglv84/UgkVCNPPpTor1q63WpGY8hL2Uvh7Lew7xN5kMgSK2EmVahqVtJ8ZHIghxKu BSm/tBpSn2a8TtextgXjW9jJcaDWJO+jO6wJYprk+LOWIJcyFNPqz9VEnwdB2UuF+d7C SjZIgu0Eceb3RdCi4PVw3IklxKacuat/MfUQTMp85IY/JYmVlGFpD3AC9VZRbsJGdW0S w2Hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=VvSRPIxxFzQ1bCyFMAHbaoYT+MxJ7/YN7WWpfnIKMk8=; b=DFwrJD2OfyS5LXIpkVr3BEBzFDshP+6XeDCeHtMlMLjgreYFa6aXYRzMZLPFleVx60 13a0/o8k0UReTNqhX9eohMRJZ0nKJIxv+QC1dmpklZxOwOfNLbBgCLjyfMhvL3MSGqfm ac15L2eqhRqA4Ws0sdImiHC+kF4lCC7XNsQWLOEPLh3IqHqdTn9JgI09WH1LCG5l1I0N FL4czBSn7rOpe3kbE46kR7yrU1Rj7tMgtzN+DX850WWjMiEw//AlvTl76/UxEObJPC6f DD0YlYkJ0Undmd/KjrVLFUwbrS1TJJwbmgGfSEFrxxSts/pgBEFqjCEaatsDpeXrjH+n T+Mg==
X-Gm-Message-State: AMke39kAeuKKvfkuxJ8lL3mM2tTYFPBwaUHifbfZeRFRPKsJQH0QsRkFLrh0+Fugm9RU0A==
X-Received: by 10.28.0.2 with SMTP id 2mr3982960wma.141.1486660064157; Thu, 09 Feb 2017 09:07:44 -0800 (PST)
Received: from users-mbp.mshome.net ([176.13.20.218]) by smtp.gmail.com with ESMTPSA id z90sm19501199wrc.24.2017.02.09.09.07.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Feb 2017 09:07:43 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_FD5FD189-255C-4732-A81A-37F51E8E2BAC"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Yoav Nir <ynir.ietf@gmail.com>
X-Priority: 3 (Normal)
In-Reply-To: <1486658028.81835495@f105.i.mail.ru>
Date: Thu, 09 Feb 2017 19:07:40 +0200
Message-Id: <E08B316F-00C5-4EF5-93F1-F4710DFA85B6@gmail.com>
References: <yw8pj50om7igw8xwxd2fon4q.1486574928465@email.android.com> <4ABF6702-BFC7-4530-95FD-C61C06F2E6AB@gmail.com> <1486658028.81835495@f105.i.mail.ru>
To: Дмитрий Подкорытов <podkorytov@mail.ru>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jmap/SctrdmpTtzBclO4yjCPEQv4t6Ko>
Cc: jmap@ietf.org
Subject: Re: [Jmap] JMAP security
X-BeenThere: jmap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: JSON Message Access Protocol <jmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jmap>, <mailto:jmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jmap/>
List-Post: <mailto:jmap@ietf.org>
List-Help: <mailto:jmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jmap>, <mailto:jmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 17:07:48 -0000
Hi, Dmitry. On 9 Feb 2017, at 18:33, Дмитрий Подкорытов <podkorytov@mail.ru> wrote: > Hello, Yoav. > > Четверг, 9 февраля 2017, 0:01 +05:00 от Yoav Nir <ynir.ietf@gmail.com>: > > > On 8 Feb 2017, at 19:28, podkorytov <podkorytov@mail.ru <mailto:podkorytov@mail.ru>> wrote: >> Hello, what about JMAP client security ? >> If it will works inside web browser it can inherit it vulneriabilities and join own, >> > JMAP is (will be?) a protocol. It can be implemented in Javascript in a browser; it can be implemented as part of a desktop or mobile MUA; it can be implemented as a library for use by servers that send email. > > Right, client for JMAP can be designed in different styles, but for working over HTTP > ,to be frank, is more easy to get something like browser or well known HTTP libs and remove useless code from it. > Otherwise, writing communicating by HTTP/HTTPS from ground level may be more difficult , than writing from zero level IMAP or POP3 client. Developers are not faced with the choice of either in-browser or writing on top of libc. I wouldn’t write it from the ground up. If using python I’d use the urllib, json, and ssl modules and then all that remains for me is constructing the objects according to the standard. In C++ I might use libcurl and jsoncpp. Other languages have their equivalents. The session maintenance and request authentication mechanisms that will be in JMAP may or may not be mechanisms that are already implemented in these libraries, but this is true regardless of platform. Developers will choose a platform based on what they want to develop, not based on what platform is marginally easier. EWS works fine in desktop MUAs. >> Any browser plugins such as Adobe's or something else may be potencial hole and targets for attacks. >> > Since we do expect browser use, that is definitely something to consider. Preventing plug-ins and scripts running in other tabs from sending requests on behalf of the user should certainly be a goal for the protocol. There are some ways of doing that: authenticating each HTTP request with something better than session cookies, making the resource names unpredictable, etc. That is definitely part of the design. >> Probably it question out of frames of protocol draft , but it practical thing ang may to influence on JMAP success or fail. It will works inside browser with many others web applications and plug-ins >> > Security considerations are part of every IETF document and discussion of security vulnerabilities within the operating environment are very much in scope. > > Stateless protocols sometimes may be on MITM attack, somebody is able to catch TCP packet from JMAP client and repeat it many times. > All needed for authorization already inside this single packet, right ? Those are addressed by TLS. JMAP has to run over HTTPS, and not just because of these attacks. It’s email. Privacy is not optional. > Destination in this case will be under DoS attack. What is planning in JMAP for preventing such things ? > Maybe random field in JSON structure or time stamp with high precision? A JMAP server is subject to all the DoS attacks that any other HTTPS server is subject to. In fact, I don’t think SMTP or IMAP are any different if they’re using TLS. Yoav
- [Jmap] JMAP security podkorytov
- Re: [Jmap] JMAP security Yoav Nir
- Re: [Jmap] JMAP security Дмитрий Подкорытов
- Re: [Jmap] JMAP security Alexey Melnikov
- Re: [Jmap] JMAP security Yoav Nir
- Re: [Jmap] JMAP security Arnt Gulbrandsen