Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-17.txt

Daniel Fett <fett@danielfett.de> Thu, 08 April 2021 15:53 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C3313A0C06 for <oauth@ietfa.amsl.com>; Thu, 8 Apr 2021 08:53:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eE7mPL4LpYu9 for <oauth@ietfa.amsl.com>; Thu, 8 Apr 2021 08:53:41 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79E0C3A0C03 for <oauth@ietf.org>; Thu, 8 Apr 2021 08:53:41 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id CC76823EB8; Thu, 8 Apr 2021 15:53:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1617897211; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=bRhdyi2RSgMDY7+01zKc/VOOOqvy2ctvgrdn82OuvLo=; b=hX8iJq0H3N8enem7RRZV/cjpQpFG82BLxdusGZGKoHVF6cOGOuZVKUmzmFAoyAts5BoHkl cKo/4iWdekUcvdJAIvMp7m3VZJ6V4CZPM4MoO5aFAT8qB7dqLenMty5Wbxc9zry+LIJnjT utvpYzKmyAfA2OZGBAInpmvNF6ZBZqA=
To: George Fletcher <gffletch@aol.com>, oauth@ietf.org
References: <161771436122.1506.973742618731100764@ietfa.amsl.com> <63c57751-ff04-4e75-a74d-c4ba1105fb56@danielfett.de> <35d57c1b-5e1f-aec7-8669-c93260e873da@aol.com>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <10e3f3b4-9f96-153a-fe41-0a2b3c27f095@danielfett.de>
Date: Thu, 8 Apr 2021 17:53:30 +0200
MIME-Version: 1.0
In-Reply-To: <35d57c1b-5e1f-aec7-8669-c93260e873da@aol.com>
Content-Type: multipart/alternative; boundary="------------D919D254C028EE8689CE991F"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1617897211; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=bRhdyi2RSgMDY7+01zKc/VOOOqvy2ctvgrdn82OuvLo=; b=GlR0G/9iCW9CfkEDK4OyMz3mUksn9ZJzQ70JUyNYz0eTGTYAbZyhOYof8990cJG99582XB o54sbeA6n20JbB+d2Gz7UbLElr1vx/Rkd/sMB3BQcBFlYMc+FVROZOzuy+//Nvi4HhlZiY X55x9kE6LEtRKRgTeNb4KRzsWWE9+CE=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1617897211; a=rsa-sha256; cv=none; b=DoW+pVAaOIhMqUUQZAGOmnJMCHKGn191Ztq2u5jgspqoNd9oPgT4wQyXXwaFNdgyTiXF44 Y11qDLjBXIiun1lUB0qHhYBlOqkzr5lygzi1HPV/vGrbtI+OYzTNdXlt+M0nf4IgFS34my RVSPGzFzdFsVvKiBSnsOMF2AydlXuaE=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: --
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/14S7tasj3I04bZqu9P_CrsHYqsg>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-17.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Apr 2021 15:53:46 -0000

Hi George,

client impersonation is covered extensively in RFC6749 already, with
further recommendations in RFC6819. The basics of this attack have not
changed since public clients where introduced, but, as you mention, on
mobile operating systems we see new mechanics for authenticating clients
(or the lack thereof).

I worked together with Joseph Heenan and Fabian Hauck to develop new
best practices in this area [1]. I feel that the complexity of this
whole topic would be much better dealt with in an update to BCP 212 (RFC
8252).

Since the basics have been covered elsewhere, I do not see an immediate
need to update the security BCP and quite frankly, I fear that this
would set us back at least another year or so.

-Daniel


[1] https://danielfett.de/2020/11/27/improving-app2app/



Am 07.04.21 um 22:06 schrieb George Fletcher:
> While this is mostly covered in section 8.6 of RFC 8252 for native
> apps, I wonder if we shouldn't mention "Client Impersonation" in this
> doc as well in that any public client can be easily impersonated.
> Mobile OS's are providing additional mechanisms for "authenticating"
> the client but it's unclear whether those will be made available in
> desktop environments where native apps also exist. At this stage
> Universal Links (iOS) and App Links (Android) should be best practice
> for any mobile native app. Best practice for desktop apps is less clear.
>
> Impersonating a public client is very easy especially if the only
> mechanism available for the callback is a custom scheme URL.
>
> Thoughts?
>
> On 4/6/21 9:15 AM, Daniel Fett wrote:
>> Hi all,
>>
>> this version most importantly updates the recommendations for Mix-Up
>> mitigation, building upon
>> https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00. The
>> description of Mix-Up attacks has also been improved.
>>
>> Smaller changes:
>>
>>    * Make the use of metadata RECOMMENDED for both servers and clients
>>    * Make announcing PKCE support in metadata the RECOMMENDED way
>> (before: either metadata or deployment-specific way)
>>    * AS also MUST NOT expose open redirectors.
>>    * Mention that attackers can collaborate.
>>    * Make HTTPS mandatory for most redirect URIs.
>>
>> I'll present more details in the interim meeting next monday.
>>
>> As always, your feedback is appreciated. We hope that we can proceed
>> to a WGLC for this document soon.
>>
>> -Daniel
>>
>> Am 06.04.21 um 15:06 schrieb internet-drafts@ietf.org:
>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>>>
>>>         Title           : OAuth 2.0 Security Best Current Practice
>>>         Authors         : Torsten Lodderstedt
>>>                           John Bradley
>>>                           Andrey Labunets
>>>                           Daniel Fett
>>> 	Filename        : draft-ietf-oauth-security-topics-17.txt
>>> 	Pages           : 52
>>> 	Date            : 2021-04-06
>>>
>>> Abstract:
>>>    This document describes best current security practice for OAuth 2.0.
>>>    It updates and extends the OAuth 2.0 Security Threat Model to
>>>    incorporate practical experiences gathered since OAuth 2.0 was
>>>    published and covers new threats relevant due to the broader
>>>    application of OAuth 2.0.
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
>>>
>>> There is also an HTML version available at:
>>> https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-17.html
>>>
>>> A diff from the previous version is available at:
>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-17
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> -- 
>> https://danielfett.de
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
https://danielfett.de