IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

Dick Hardt <Dick.Hardt@microsoft.com> Tue, 10 November 2009 03:10 UTC

Return-Path: <Dick.Hardt@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E7ED13A686C for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 19:10:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qgVSCdoFu4cO for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 19:10:50 -0800 (PST)
Received: from smtp.microsoft.com (mail3.microsoft.com [131.107.115.214]) by core3.amsl.com (Postfix) with ESMTP id 901A03A681B for <oauth@ietf.org>; Mon, 9 Nov 2009 19:10:50 -0800 (PST)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Mon, 9 Nov 2009 19:11:34 -0800
Received: from TK5EX14MBXC102.redmond.corp.microsoft.com ([169.254.2.41]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi; Mon, 9 Nov 2009 19:11:17 -0800
From: Dick Hardt <Dick.Hardt@microsoft.com>
To: John Panzer <jpanzer@google.com>
Thread-Topic: [OAUTH-WG] why are we signing?
Thread-Index: AQHKYPpiJlPvjbF+7Eug3PbIB1m6s5Et5jgAgAEXDgCAAAHrAIAAGp4AgAAKmoCAAAargA==
Date: Tue, 10 Nov 2009 03:11:15 +0000
Message-ID: <29554EF2-638B-4AE9-947E-CDB12AEAA904@microsoft.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785078711@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570911091627i3e70924bnda232246df3918fd@mail.gmail.com> <cb5f7a380911091634r19f20019rabb3d1c8c9c3246f@mail.gmail.com> <19B1A486-C1F9-4EAF-9DAE-FD886D829236@microsoft.com> <cb5f7a380911091847v375ca8ddtdbe2ab718162cf90@mail.gmail.com>
In-Reply-To: <cb5f7a380911091847v375ca8ddtdbe2ab718162cf90@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-ID: <e527c101-10d2-4f3e-8b9c-f7bdc57604e0>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 03:10:52 -0000

On 2009-11-09, at 6:47 PM, John Panzer wrote:

> On Mon, Nov 9, 2009 at 6:09 PM, Dick Hardt  
> <Dick.Hardt@microsoft.com> wrote:
>>
>> On 2009-11-09, at 4:34 PM, John Panzer wrote:
>>
>>> Counter-argument:  The login pages are protected with https, so
>>> their password is protected.
>>
>> One might then ask why HTTPS is not used for all the other activity  
>> if
>> it is sensitive. HTTPS is available. Crypto gets cheaper and cheaper
>> with Moore's law.
>
> It would be interesting to see the price differential (for peak
> traffic/worst case scenario you need to provision for).

That would be interesting.

>
> Imagine that the resource is, say, a 10MB image.

Setting up the connection is pretty expensive compared to moving data.

>
>>
>>
>>>  Their session cookies are sent in clear text but are themselves
>>> encrypted and are refreshed every (say) 10 minutes to minimize
>>> exposure from leakage.
>>
>> A lot of damage could be done in those ten minutes.
>
> But much less than can be done if passwords can be collected and used
> later when the user is asleep, to access arbitrary services (and
> probably unrelated services because everyone is using the same
> email-based username and low-security password for everything).

Clearly. Point being that lots of damage can happen in ten minutes.  
Take Twitter for an example, I can send LOTS of spam to all your  
followers as direct messages and follow a bunch of people you don't  
want to follow. I have gotten malware spam from other people's Twitter  
accounts.

>
>>
>>> The user's data certainly is sent in clear text form and an attacker
>>> can both read it and impersonate the user to send data if they grab
>>> the cookies, at least for 10 minutes.  So I got nothin' there.
>>>
>>> (Would bearer token plus a way to securely rotate the token every N
>>> minutes make the OAuth session at least as secure as the above
>>> scenario?)
>>
>> I think so. :-)
>
> Don't we want that anyway?

Yes. Refreshing the Access Token is a recommendation in WRAP.

-- Dick

v2.23.0 | Report a Bug | By Email