Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
Prabath Siriwardena <prabath@wso2.com> Wed, 06 February 2013 18:00 UTC
Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57E5D21F897A for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 10:00:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.624
X-Spam-Level:
X-Spam-Status: No, score=-2.624 tagged_above=-999 required=5 tests=[AWL=0.353, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id itGJ3mO8Q6lu for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 10:00:07 -0800 (PST)
Received: from mail-ea0-f170.google.com (mail-ea0-f170.google.com [209.85.215.170]) by ietfa.amsl.com (Postfix) with ESMTP id 092AF21F8999 for <oauth@ietf.org>; Wed, 6 Feb 2013 10:00:06 -0800 (PST)
Received: by mail-ea0-f170.google.com with SMTP id a11so751151eaa.29 for <oauth@ietf.org>; Wed, 06 Feb 2013 10:00:05 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=eD7t1a4+wajK+YEDWqhM4roaw22nDGOiYK7K0NyvGMQ=; b=fca67tW+2zzPo+7rmukg/TtgNRbrkWPRGLvJSJnQmBuamD4wHtg5Jf9vikeg8B2Vyy tTE5fGY7HGaYR08sErlG3VcXq8dExNMieESaFJvQg7EqtEb2VkXf3mCsWX2ikv5LxXT2 IT7iE78czl1IeyQ45nAiHx0s1WWCbbqU13JtkitdnrkT83rRsPE2VcIpwcMoSLfmvGVi xYCZ98VcBYmBV325ls6bzh7bFBstonGVNgwBtca5Afe7afmEroMjCxXib5Rz7KzyAWGJ EZqW0on2eFW3FUu3MNiloei02VQO8PpBSNNuknRstg+BzH4LEpwUl13wGb3Vl+p7R9dY dC1A==
MIME-Version: 1.0
X-Received: by 10.14.173.196 with SMTP id v44mr98741393eel.29.1360173605597; Wed, 06 Feb 2013 10:00:05 -0800 (PST)
Received: by 10.223.175.134 with HTTP; Wed, 6 Feb 2013 10:00:05 -0800 (PST)
In-Reply-To: <1360173369.63130.YahooMailNeo@web31810.mail.mud.yahoo.com>
References: <CAEeqsMat2_zoSCyx7uN373m1SMNGAz=QxEmVYWOYax=Ppt2LnQ@mail.gmail.com> <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com> <CAJV9qO_Zw3bO2L=m6AzhPGQF0B6T5_HOyuTzLTDiKGJGM=Wi7A@mail.gmail.com> <1360173369.63130.YahooMailNeo@web31810.mail.mud.yahoo.com>
Date: Wed, 06 Feb 2013 23:30:05 +0530
Message-ID: <CAJV9qO94U5PMHOzM6LjPGAqUGdCsPAgDbxV8vWedYbWmiF815A@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: William Mills <wmills_92105@yahoo.com>
Content-Type: multipart/alternative; boundary="047d7b60436898324504d5121835"
X-Gm-Message-State: ALoCoQnC/27UDv6p7Kp3CnUA5npY9iiiNeEPxGyBJwmiqdAzDE8tdeSr27n4hOFl5sKKnEA6z6bm
Cc: "oauth@ietf.org" <oauth@ietf.org>, "L. Preston Sego III" <LPSego3@gmail.com>
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 18:00:08 -0000
On Wed, Feb 6, 2013 at 11:26 PM, William Mills <wmills_92105@yahoo.com>wrote: > Yes, MAC relies on SSL for transport security. But you have bigger > problems than that if SSL is broken, because your primary authentication > credential is compromised now. > +1 > > Do we need to address sslstrip here if it's a general attack on SSL > transport for the browser? > Yes.. its a general attack against SSL and counter measures defined too.. Thanks & regards, -Prabath > ------------------------------ > *From:* Prabath Siriwardena <prabath@wso2.com> > *To:* William Mills <wmills_92105@yahoo.com> > *Cc:* L. Preston Sego III <LPSego3@gmail.com>; "oauth@ietf.org" < > oauth@ietf.org> > *Sent:* Wednesday, February 6, 2013 8:23 AM > *Subject:* Re: [OAUTH-WG] I'm concerned about how the sniffability of > oauth2 requests > > > > On Mon, Feb 4, 2013 at 9:57 PM, William Mills <wmills_92105@yahoo.com>wrote: > > There are two efforts at signed token types: MAC which is still a > possibility if we wake up and do it, and the "Holder Of Key" type tokens. > > > If someone can use sslstrip then even MAC is not safe - since MAC key > needs to be transferred over SSL to the Client from the AS. > > There are standard ways in HTTP to avoid or protect from sslstrip - IMHO > we need to occupy those best practices... > > Thanks & regards, > -Prabath > > > > There are a lot of folks that agree with you. > > ------------------------------ > *From:* L. Preston Sego III <LPSego3@gmail.com> > *To:* oauth@ietf.org > *Sent:* Friday, February 1, 2013 7:37 AM > *Subject:* [OAUTH-WG] I'm concerned about how the sniffability of oauth2 > requests > > In an oauth2 request, the access token is passed along in the header, with > nothing else. > > As I understand it, oauth2 was designed to be simple for everyone to use. > And while, that's true, I don't really like how all of the security is > reliant on SSL. > > what if an attack can strip away SSL using a tool such as sslstrip (or > whatever else would be more suitable for modern https)? They would be able > to see the access token and start forging whatever request he or she wants > to. > > Why not do some sort of RSA-type public-private key thing like back in > Oauth1, where there is verification of the payload on each request? Just > use a better algorithm? > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > > > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
- [OAUTH-WG] I'm concerned about how the sniffabili… L. Preston Sego III
- Re: [OAUTH-WG] I'm concerned about how the sniffa… William Mills
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Prateek Mishra
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Sergey Beryozkin
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Lewis Adam-CAL022
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Hannes Tschofenig
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Prabath Siriwardena
- Re: [OAUTH-WG] I'm concerned about how the sniffa… William Mills
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Prabath Siriwardena
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Sergey Beryozkin