Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Fri, 29 January 2016 05:14 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D61011B3DD8 for <oauth@ietfa.amsl.com>; Thu, 28 Jan 2016 21:14:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9jQ3Vh4fi-pK for <oauth@ietfa.amsl.com>; Thu, 28 Jan 2016 21:14:55 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C01541B3DD6 for <oauth@ietf.org>; Thu, 28 Jan 2016 21:14:55 -0800 (PST)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u0T5Esnb001369 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 29 Jan 2016 05:14:54 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u0T5ErES017158 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 29 Jan 2016 05:14:53 GMT
Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u0T5EqQH024841; Fri, 29 Jan 2016 05:14:53 GMT
Received: from [192.168.1.23] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 28 Jan 2016 21:14:52 -0800
Content-Type: multipart/alternative; boundary=Apple-Mail-BC5FE6DD-80C0-4C8F-B28B-C7D27430C922
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (13D15)
In-Reply-To: <CABzCy2BnB7tM+Z-zDzMBq6pRmpPsZaLWt7GM31E+EPTppoLmzQ@mail.gmail.com>
Date: Thu, 28 Jan 2016 21:14:50 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <7FC3FCB3-2FFA-4629-A59F-755BAFEA73FA@oracle.com>
References: <809D2C8D-F76B-42AD-93D1-E6AF487487AA@oracle.com> <362D654D-BC33-45AE-9F64-0A131A9EBC5E@oracle.com> <7BA5A647-5BBB-4C5E-95C7-0D6F295F96A6@gmail.com> <87971FDB-B51A-48B6-8311-6E55322960FC@oracle.com> <DDFE7F75-46BB-4868-8548-CF449452EB69@gmail.com> <222CF07B-5AA7-4789-8AC8-7C32377C5AE6@oracle.com> <73E18F37-C765-4F62-A690-102D0C794C52@oracle.com> <845FCC92-E0A5-413F-BA4E-53E0D4C4DBD4@gmail.com> <0178F662-732A-42AA-BE42-E7ECBDEE3353@oracle.com> <63914724-175F-47EA-BC48-5FB9E6C5FE87@ve7jtb.com> <CABzCy2A6UwB5PmwdAkvaWtz1UVE9r8E1qmOJYHWtG7O2S3FEPg@mail.gmail.com> <56A8BB7C.80702@aol.com> <56A8BCC3.6030903@aol.com> <CABzCy2BFP2pOoFML4DujF3Q9F0=1nqw_6uVaVrsjZFTs7hE1ow@mail.gmail.com> <F89550EB-EBED-4AB3-BF6F-B15D6B4DD7A3@mit.edu> <56A92F08.9050706@pingidentity.com> <CABzCy2BniK8586Ka_pb3Wz26MUkdRBZK1CsJe=W7TX179+Wh5A@mail.gmail.com> <56A962FA.2010004@pingidentity.com> <CABzCy2CKfZAMg2arjx1uvA73tB4kFaoL2ri4CBNimE99naKarA@mail.gmail.com> <5DC2FC1D-CBBA-4FB8-9358-0D1A046D! 8A99@ve7jtb.com> <CABzCy2BnB7tM+Z-zDzMBq6pRmpPsZaLWt7GM31E+EPTppoLmzQ@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/0JXP0VJ0OX_Vhk90W1D5rlvkqhc>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 05:14:59 -0000

We discussed that redirecr helps but we wanted the Token endpoint to also be able to detect assuming many client devs won't implement the check. 

Phil

> On Jan 28, 2016, at 20:54, Nat Sakimura <sakimura@gmail.com> wrote:
> 
> My preferred way of dealing with mix-up has been to use separate redirection URI but your using issuer instead is for the backward compatibility? 
> 
> Nat
> 
> 2016年1月29日(金) 2:53 John Bradley <ve7jtb@ve7jtb.com>om>:
>> Yes,  I note either mitigation in draft-jones-oauth-mix-up-mitigation-01 will stop this attack.
>> 
>> White listing AS seems tempting, but is just sweeping the problem partially under the rug.  
>> There are probably good policy reasons to whitelist AS but we shouldn’t let this AS mixup be one of them.
>> 
>> John B.
>> 
>> 
>>> On Jan 27, 2016, at 10:42 PM, Nat Sakimura <sakimura@gmail.com> wrote:
>>> 
>> 
>>> I see. That's like double cut-n-paste. 
>>> 
>>> I tried to capture this case of used-to-be-good AS turning Compromised AS (Log leaking AS) in a sequence diagram: http://j.mp/1QtDeKD
>>> 
>>> Given this, just relying on not using random AS is not good enough. You would probably require AS w/ISMS with the policy of not logging un-masked credentials and has strict access control on the log ;-) 
>>> 
>>> Nat
>>> 
>>> 2016年1月28日(木) 9:38 Hans Zandbelt <hzandbelt@pingidentity.com>om>:
>>>> indeed, if the attacker is able to phish the user, he can put up a
>>>> script that first triggers the authorization request to the compromised
>>>> AS (i.e. the AS at which he has access to the logs and gathers the state
>>>> value from) through the Client, and subsequently trigger the redirect to
>>>> the good AS using an auto-refresh of that same phishing page (with the
>>>> stolen state value); no need to control the authorization endpoint of
>>>> the compromised AS itself
>>>> 
>>>> Hans.
>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>> 
>>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth