Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Mon, 04 February 2013 17:02 UTC

Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A25E21F8470 for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 09:02:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.467
X-Spam-Level:
X-Spam-Status: No, score=-3.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9izXU0Ok0DFr for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 09:02:39 -0800 (PST)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe004.messaging.microsoft.com [207.46.163.27]) by ietfa.amsl.com (Postfix) with ESMTP id 6E07821F8468 for <oauth@ietf.org>; Mon, 4 Feb 2013 09:02:39 -0800 (PST)
Received: from mail81-co9-R.bigfish.com (10.236.132.229) by CO9EHSOBE033.bigfish.com (10.236.130.96) with Microsoft SMTP Server id 14.1.225.23; Mon, 4 Feb 2013 17:02:38 +0000
Received: from mail81-co9 (localhost [127.0.0.1]) by mail81-co9-R.bigfish.com (Postfix) with ESMTP id 79D5F1E0170 for <oauth@ietf.org>; Mon, 4 Feb 2013 17:02:38 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:129.188.136.18; KIP:(null); UIP:(null); IPV:NLI; H:il06msg02.am.mot-solutions.com; RD:none; EFVD:NLI
X-SpamScore: -25
X-BigFish: VPS-25(zzbb2dI98dI9371I542I1432Izz1ee6h1de0h1202h1e76h1d1ah1d2ahzz1033IL8275bh8275dhz2fh2a8h683h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h1155h)
Received-SPF: pass (mail81-co9: domain of motorolasolutions.com designates 129.188.136.18 as permitted sender) client-ip=129.188.136.18; envelope-from=Adam.Lewis@motorolasolutions.com; helo=il06msg02.am.mot-solutions.com ; olutions.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.237.133; KIP:(null); UIP:(null); (null); H:BY2PRD0411HT005.namprd04.prod.outlook.com; R:internal; EFV:INT
Received: from mail81-co9 (localhost.localdomain [127.0.0.1]) by mail81-co9 (MessageSwitch) id 1359997355232299_4628; Mon, 4 Feb 2013 17:02:35 +0000 (UTC)
Received: from CO9EHSMHS023.bigfish.com (unknown [10.236.132.247]) by mail81-co9.bigfish.com (Postfix) with ESMTP id 297428005B for <oauth@ietf.org>; Mon, 4 Feb 2013 17:02:35 +0000 (UTC)
Received: from il06msg02.am.mot-solutions.com (129.188.136.18) by CO9EHSMHS023.bigfish.com (10.236.130.33) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 4 Feb 2013 17:02:31 +0000
Received: from il06msg02.am.mot-solutions.com (il06vts01.mot.com [129.188.137.141]) by il06msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id r14H2UBb020820 for <oauth@ietf.org>; Mon, 4 Feb 2013 12:02:30 -0500 (EST)
Received: from CO9EHSOBE004.bigfish.com (co9ehsobe001.messaging.microsoft.com [207.46.163.24]) by il06msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id r14H2Uim020814 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Mon, 4 Feb 2013 12:02:30 -0500 (EST)
Received: from mail5-co9-R.bigfish.com (10.236.132.250) by CO9EHSOBE004.bigfish.com (10.236.130.67) with Microsoft SMTP Server id 14.1.225.23; Mon, 4 Feb 2013 17:02:29 +0000
Received: from mail5-co9 (localhost [127.0.0.1]) by mail5-co9-R.bigfish.com (Postfix) with ESMTP id D7774600E2 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Mon, 4 Feb 2013 17:02:29 +0000 (UTC)
Received: from mail5-co9 (localhost.localdomain [127.0.0.1]) by mail5-co9 (MessageSwitch) id 1359997347102196_14450; Mon, 4 Feb 2013 17:02:27 +0000 (UTC)
Received: from CO9EHSMHS032.bigfish.com (unknown [10.236.132.240]) by mail5-co9.bigfish.com (Postfix) with ESMTP id 0D00D2A0092; Mon, 4 Feb 2013 17:02:27 +0000 (UTC)
Received: from BY2PRD0411HT005.namprd04.prod.outlook.com (157.56.237.133) by CO9EHSMHS032.bigfish.com (10.236.130.42) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 4 Feb 2013 17:02:25 +0000
Received: from BY2PRD0411MB441.namprd04.prod.outlook.com ([169.254.5.124]) by BY2PRD0411HT005.namprd04.prod.outlook.com ([10.255.128.40]) with mapi id 14.16.0263.000; Mon, 4 Feb 2013 17:02:25 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
Thread-Index: AQHOAvjXSWFz2rdIEU2u7m+7uFC8jphp7JuA
Date: Mon, 04 Feb 2013 17:02:23 +0000
Message-ID: <59E470B10C4630419ED717AC79FCF9A9483E53D9@BY2PRD0411MB441.namprd04.prod.outlook.com>
References: <CAEeqsMat2_zoSCyx7uN373m1SMNGAz=QxEmVYWOYax=Ppt2LnQ@mail.gmail.com> <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com> <510FE88B.9040200@gmail.com>
In-Reply-To: <510FE88B.9040200@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [150.130.131.252]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%GMAIL.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Feb 2013 17:02:40 -0000

Speaking of ... what is the status of the HOK work?  The last draft has expired and its fallen off of the OAuth page now.  



-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey Beryozkin
Sent: Monday, February 04, 2013 10:58 AM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

On 04/02/13 16:27, William Mills wrote:
> There are two efforts at signed token types: MAC which is still a
> possibility if we wake up and do it,

I'd rephrase it slightly differently, it is a possibility right now, 
OAuth2 supports custom tokens, the fact that OAuth2 may not formally 
approve MAC won't preclude the use of MAC in the OAuth2 compliant manner.

Of course OAuth2 putting a stamp of approval will make it more visible, 
without it, the existing MAC draft issues (if any) will end up being 
addressed at the specific implementations level only - not ideal for the 
community at large but it is up to OAuth2...

Cheers, Sergey


> and the "Holder Of Key" type tokens.
>
> There are a lot of folks that agree with you.
>
> ------------------------------------------------------------------------
> *From:* L. Preston Sego III <LPSego3@gmail.com>
> *To:* oauth@ietf.org
> *Sent:* Friday, February 1, 2013 7:37 AM
> *Subject:* [OAUTH-WG] I'm concerned about how the sniffability of oauth2
> requests
>
> In an oauth2 request, the access token is passed along in the header,
> with nothing else.
>
> As I understand it, oauth2 was designed to be simple for everyone to
> use. And while, that's true, I don't really like how all of the security
> is reliant on SSL.
>
> what if an attack can strip away SSL using a tool such as sslstrip (or
> whatever else would be more suitable for modern https)? They would be
> able to see the access token and start forging whatever request he or
> she wants to.
>
> Why not do some sort of RSA-type public-private key thing like back in
> Oauth1, where there is verification of the payload on each request? Just
> use a better algorithm?
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth