IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

William Mills <wmills@yahoo-inc.com> Thu, 05 January 2012 16:29 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E1C021F86BD for <oauth@ietfa.amsl.com>; Thu, 5 Jan 2012 08:29:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.298
X-Spam-Level:
X-Spam-Status: No, score=-16.298 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wzi19uEmIhWO for <oauth@ietfa.amsl.com>; Thu, 5 Jan 2012 08:29:07 -0800 (PST)
Received: from nm15.bullet.mail.sp2.yahoo.com (nm15.bullet.mail.sp2.yahoo.com [98.139.91.85]) by ietfa.amsl.com (Postfix) with SMTP id 4BB8B21F8737 for <oauth@ietf.org>; Thu, 5 Jan 2012 08:29:06 -0800 (PST)
Received: from [98.139.91.63] by nm15.bullet.mail.sp2.yahoo.com with NNFMP; 05 Jan 2012 16:29:03 -0000
Received: from [72.30.22.203] by tm3.bullet.mail.sp2.yahoo.com with NNFMP; 05 Jan 2012 16:29:03 -0000
Received: from [127.0.0.1] by omp1065.mail.sp2.yahoo.com with NNFMP; 05 Jan 2012 16:29:03 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 525599.17146.bm@omp1065.mail.sp2.yahoo.com
Received: (qmail 81411 invoked by uid 60001); 5 Jan 2012 16:29:03 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1325780942; bh=K54ceFwYQuKBw6lr8ouvP1waYkvAjUwZEQrUfcag0PE=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=km5URfMoR0WBCe4geLJpSDbFDQmgf9myV13Kms+EoIYSfWPv1A7MprCNBN+ZoIoQV6aC75kjA4OZVSpZgWGexVXJZhloD0elUdmfY3PhFrWpiyfeZ2zzZnngVo1AGEbVrUKWXAKf9N6WO1SIYyQ1XHdddckQgzr5ARS6rpYdii4=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=OHnKmOwfAbayM4JF8RGgWW5z32w3nFI6uMslMS4NKa1vrkoXJAGh9QHsSopVaDHj5J242TmykiR4W53bws5Z4xyqtfxqV5VKuqTZ1TY7nubAnaI8SgI1iX9IIzWTlCBvYeo0pLx4N9ZnWnKUeFitu7dABeNnnToMgkb8lo+n0+c=;
X-YMail-OSG: h.Qn.5cVM1nuM88PAZQ6jJevFpWJfjKDFeV9viAfiYdnS2r KeIyTAPidLdgnGIzv6lYd8nYJkHyZeneQtL5r8Uwbw8CbAwrlH7EB0pfWoum DDH0VqnnvyFedwq9MC0gxG8y5qIEDsgrBq71QDN50sS8JBHvMrW55tq7O5vS hmtf15.tzhWUIg6uZFRFVZcK.XxyvU8ROfDkyf0Pq91RRAq1OFhwvlysOk.I iw8IL2TJwPHefIHasqSLDjVm2qNkVGE.8xvLUhccIrtJ9fHmAqWniYhNLCB5 aOZFupPzCMt8HwJsvC414fqfw6S1LXf.YQ80_4Ka6PjlKnXfBc1DxDN1eWSj _orIT3X5inU6FgxnS1dFGaVi.pwMtJg750YgYYVPJ0muOClZu0QCQyrfMkg0 2jGMbm4hwk_a8EjJtnA--
Received: from [99.31.212.42] by web31809.mail.mud.yahoo.com via HTTP; Thu, 05 Jan 2012 08:29:02 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.116.331537
References: <CALaySJKhYQQdmjvWBLS3mwzzrDt35jfDn2xZCuDOk=hpwEUiKQ@mail.gmail.com> <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com> <OF6C9EBE7C.1B053FE3-ON80257968.003C02DF-80257968.003CAA12@ie.ibm.com> <4EEB5BDD.7080401@mtcc.com> <4F038CB9.1040403@mtcc.com> <F674B8D6-54D6-4B39-A494-9D7EB6E058D6@oracle.com> <4F0394D6.1090006@mtcc.com> <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com> <4F04AAAE.6080702@mtcc.com> <4F04ACE4.1070006@stpeter.im> <4F04B101.3070708@mtcc.com> <OF0587BA9E.B7B40207-ON8025797B.00702BFB-8025797B.007103EA@ie.ibm.com> <CALaySJLcFGyt97OVFZY34kZSjp2bKRqiH_JSDQQaO-aTjSWh2g@mail.gmail.com> <4F04BF70.3 <90C41DD21FB7C64BB94121FBBC2E723453A72D09B9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <OF8B311AA2.ACF026F4-ON8025797C.00460040-8025797C.004D16DC@ie.ibm.com>
Message-ID: <1325780942.63316.YahooMailNeo@web31809.mail.mud.yahoo.com>
Date: Thu, 05 Jan 2012 08:29:02 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Mark Mcgloin <mark.mcgloin@ie.ibm.com>, OAuth WG <oauth@ietf.org>
In-Reply-To: <OF8B311AA2.ACF026F4-ON8025797C.00460040-8025797C.004D16DC@ie.ibm.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1395015409-1746656220-1325780942=:63316"
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 16:29:08 -0000

There's going to be a whole class of apps tat will be in violation of "Client applications SHOULD avoid directly asking users for the their 
credentials.".  We know that already, because the password grant exists 
and we have real use cases for it.  I think we should strikes that 
sentence and move that idea to #3 (soon to be #2)


I think point 2 should be struck, it's pointless.  What would matter here is whether the user can check that the app has been validated, and 
we're not defining that.


I would change #3 (now #2?) to:
   3. It is RECOMMENDED that client applications use the web based authentication 
   flow, this takes advantage of a more trusted system component, e.g. the system 
   browser, and provides a consistent authentication experience for the user
   across applications.  The user is then always presenting their credential to a
   known and trusted web page.  Collection and use of primary authentication from
   the user by client applications is NOT RECOMMENDED.

Regards,

-bill

P.S. hit the wrong key earlier and replied only to Mark with this.  Should have hit the list.  Sorry Mark.



________________________________
 From: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
To: OAuth WG <oauth@ietf.org> 
Sent: Thursday, January 5, 2012 6:01 AM
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
 
Having read the suggested wording from Eran, William and Michael, I think
Eran's description is the most succinct and relevant: "OAuth does not
provide any protection against malicious applications and that the end user
is solely responsible for the trustworthiness of any native application
installed"
@William: The threat has been described in the context of installing
malicious apps so the wording above it more applicable
@Michael: It has been repeated many times that we should only address
security issues specific to Oauth, and Oauth does not make things worse if
a user installs a malicious client. If you want to continue the discussion,
please email me directly and we can revert to this forum if you still think
your point is relevant

Section 4.1.4 of the threat model will be updated as below. Remember the
threat model is just offering advice on best practices.


Threat: End-user credentials phished using compromised or  embedded browser

A malicious application could attempt to phish end-user passwords by
misusing an embedded browser in the end-user authorization process, or by
presenting its own user-interface instead of allowing trusted system
browser to render the authorization user interface.  By doing so, the usual
visual trust mechanisms may be bypassed (e.g.  TLS confirmation, web site
mechanisms).  By using an embedded or internal client application user
interface, the client application has access to additional information it
should not have access to (e.g. uid/password).

Impact: If the client application or the communication is compromised, the
user would not be aware and all information in the authorization exchange
could be captured such as username and password.

Countermeasures:

1. The OAuth flow is designed so that client applications never need to
know user passwords. Client applications SHOULD avoid directly asking users
for the their credentials. In addition, end users could be educated about
phishing attacks and best practices, such as only accessing trusted
clients, as OAuth does not provide any protection against malicious
applications and the end user is solely responsible for the trustworthiness
of any native application installed

2. Client applications could be validated prior to publication in an
application market for users to access. That validation is out of scope for
OAuth but could include validating that the client application handles user
authentication in an appropriate way

3. Client developers should not write client applications that collect
authentication information directly from users and should instead delegate
this task to a trusted system component, e.g. the system-browser.

Regards
Mark

oauth-bounces@ietf.org wrote on 05/01/2012 00:05:04:

> From:
>
> Eran Hammer-Lahav <eran@hueniverse.com>
>
> To:
>
> Michael Thomas <mike@mtcc.com>, Torsten Lodderstedt
<torsten@lodderstedt.net>
>
> Cc:
>
> Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
>
> Date:
>
> 05/01/2012 00:05
>
> Subject:
>
> Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
>
> Sent by:
>
> oauth-bounces@ietf.org
>
>
>
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> > Of Michael Thomas
> > Sent: Wednesday, January 04, 2012 3:40 PM
>
> > My concern is that putting on a veneer of "security" will lull people
into
> > thinking "Oh, it's safe to enter my credentials here because this is
really
> > twitterbook, not evilapp!". When I had to ask them directly to put
their
> > twitterbook credentials into my app, there at least wasn't any
> confusion that
> > I had access to them.
>
> This is ridiculous (e.g. the fact we are still discussing this).
>
> First, end users know nothing about security or OAuth. Second, evil
> apps can create this veneer of security by faking a redirection flow
> with or without OAuth. Suggesting that OAuth (which is a de-facto
> web pattern for over a decade) makes anything worse is patently false.
>
> The only thing we can possibly add to the threat model document is
> to mention that "OAuth does not provide any protection against
> malicious applications and that the end user is solely responsible
> for the trustworthiness of any native application installed". That
> is accurate (and completely obvious to the target audience of this
> document). It is not very helpful but if it will make you feel
> better (since no one else here seems to share your concerns), I have
> no objection to such one line added.
>
> And again, to highlight the absurdity of your security claim, it is
> equally important to warn developers in earthquake-prone countries
> to put enough distance between the Approve and Deny buttons so that
> the user will not accidentally hit Approve during a tremor.
>
> EHL
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.14.0 | Report a Bug | By Email