Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Michael Thomas <> Thu, 05 January 2012 15:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 45DBD21F875F for <>; Thu, 5 Jan 2012 07:39:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dq9RClJcQFRv for <>; Thu, 5 Jan 2012 07:39:23 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 31C3121F8716 for <>; Thu, 5 Jan 2012 07:39:23 -0800 (PST)
Received: from ( []) (authenticated bits=0) by (8.14.3/8.14.3) with ESMTP id q05FR853007228 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 5 Jan 2012 07:27:08 -0800
Message-ID: <>
Date: Thu, 05 Jan 2012 07:27:08 -0800
From: Michael Thomas <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20090605 Thunderbird/ Mnenhy/
MIME-Version: 1.0
To: Mark Mcgloin <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <4F04BF70.3 <90C41DD21FB7C64BB94121FBBC2E723453A72D09B9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=6791; t=1325777292; x=1326641292; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;;; z=From:=20Michael=20Thomas=20<> |Subject:=20Re=3A=20[OAUTH-WG]=20WGLC=20on=20draft-ietf-oau th-v2-threatmodel-01,=20ends=209=0A=20Dec=202011 |Sender:=20 |To:=20Mark=20Mcgloin=20<> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=GEmbL4N5Tzq9THBqKlOoh4JtfqbwkSZcp+wquMC9DQw=; b=Dsdq17c2VssUVtV8Kyq4O+wDi2w9rg27RYReFPTdV/eF7Qc87ffqVzKGEl kjWHOf38dGMzaKw3okjjEvuwlxDL52a3mCYzkGyv0CIAZBgif2bb0ok9W8Sh 0V543tCN5DwjPoAxHLinpLnvO56uk6U3CKPvZmDZkvW36sXhNU8Ts=;
Authentication-Results: ; v=0.1; dkim=pass ( sig from verified; ); dkim-asp=pass
Cc: OAuth WG <>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Jan 2012 15:39:24 -0000

The wording you propose is unacceptable. It is a rehash of the
same misleading nonsense that is in there now. In particular #1 and
#3 that say in effect "bad guys really should be good" are silly
and unhelpful. #2 has possibilities, but in its current form gives
absolutely no guidance as to what might be done; mine at least
explicitly said that the status quo is unacceptable.

I also completely object to the notion that the authentication
service has no part in protecting itself. It has complete control
over who it allows to register as a client, and as written Eran's
text contradicts #2's possibility of mitigation -- even if William
thinks it's hopeless (as I read him). If William is right the
appropriate guidance is that authentication services MUST NOT
enroll clients that use untrusted browsers. Putting this on the
end users shoulders is useless and should be a reason that the
IESG should just reject the protocol.

I also object to not *explicitly* pointing out that native apps
mean apps from App stores, markets,  etc. and the general problem
that users cannot know a priori whether an app is malicious or not. I
don't  see why this is even controversial -- unless your aim is to hide
that uncomfortable fact.

This is a threat document, not a marketing puff piece. Downplaying
threats does nobody any good. Except bad guys.


On 01/05/2012 06:01 AM, Mark Mcgloin wrote:
> Having read the suggested wording from Eran, William and Michael, I think
> Eran's description is the most succinct and relevant: "OAuth does not
> provide any protection against malicious applications and that the end user
> is solely responsible for the trustworthiness of any native application
> installed"
> @William: The threat has been described in the context of installing
> malicious apps so the wording above it more applicable
> @Michael: It has been repeated many times that we should only address
> security issues specific to Oauth, and Oauth does not make things worse if
> a user installs a malicious client. If you want to continue the discussion,
> please email me directly and we can revert to this forum if you still think
> your point is relevant
> Section 4.1.4 of the threat model will be updated as below. Remember the
> threat model is just offering advice on best practices.
> Threat: End-user credentials phished using compromised or  embedded browser
> A malicious application could attempt to phish end-user passwords by
> misusing an embedded browser in the end-user authorization process, or by
> presenting its own user-interface instead of allowing trusted system
> browser to render the authorization user interface.  By doing so, the usual
> visual trust mechanisms may be bypassed (e.g.  TLS confirmation, web site
> mechanisms).  By using an embedded or internal client application user
> interface, the client application has access to additional information it
> should not have access to (e.g. uid/password).
> Impact: If the client application or the communication is compromised, the
> user would not be aware and all information in the authorization exchange
> could be captured such as username and password.
> Countermeasures:
> 1. The OAuth flow is designed so that client applications never need to
> know user passwords. Client applications SHOULD avoid directly asking users
> for the their credentials. In addition, end users could be educated about
> phishing attacks and best practices, such as only accessing trusted
> clients, as OAuth does not provide any protection against malicious
> applications and the end user is solely responsible for the trustworthiness
> of any native application installed
> 2. Client applications could be validated prior to publication in an
> application market for users to access. That validation is out of scope for
> OAuth but could include validating that the client application handles user
> authentication in an appropriate way
> 3. Client developers should not write client applications that collect
> authentication information directly from users and should instead delegate
> this task to a trusted system component, e.g. the system-browser.
> Regards
> Mark
> wrote on 05/01/2012 00:05:04:
>> From:
>> Eran Hammer-Lahav<>
>> To:
>> Michael Thomas<>, Torsten Lodderstedt
> <>
>> Cc:
>> Barry Leiba<>, oauth WG<>
>> Date:
>> 05/01/2012 00:05
>> Subject:
>> Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
> 2011
>> Sent by:
>>> -----Original Message-----
>>> From: [] On Behalf
>>> Of Michael Thomas
>>> Sent: Wednesday, January 04, 2012 3:40 PM
>>> My concern is that putting on a veneer of "security" will lull people
> into
>>> thinking "Oh, it's safe to enter my credentials here because this is
> really
>>> twitterbook, not evilapp!". When I had to ask them directly to put
> their
>>> twitterbook credentials into my app, there at least wasn't any
>> confusion that
>>> I had access to them.
>> This is ridiculous (e.g. the fact we are still discussing this).
>> First, end users know nothing about security or OAuth. Second, evil
>> apps can create this veneer of security by faking a redirection flow
>> with or without OAuth. Suggesting that OAuth (which is a de-facto
>> web pattern for over a decade) makes anything worse is patently false.
>> The only thing we can possibly add to the threat model document is
>> to mention that "OAuth does not provide any protection against
>> malicious applications and that the end user is solely responsible
>> for the trustworthiness of any native application installed". That
>> is accurate (and completely obvious to the target audience of this
>> document). It is not very helpful but if it will make you feel
>> better (since no one else here seems to share your concerns), I have
>> no objection to such one line added.
>> And again, to highlight the absurdity of your security claim, it is
>> equally important to warn developers in earthquake-prone countries
>> to put enough distance between the Approve and Deny buttons so that
>> the user will not accidentally hit Approve during a tremor.
>> EHL
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list