Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-security-00
Francisco Corella <fcorella@pomcor.com> Tue, 22 February 2011 05:56 UTC
Return-Path: <fcorella@pomcor.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 69A733A6836 for <oauth@core3.amsl.com>; Mon, 21 Feb 2011 21:56:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.391
X-Spam-Level:
X-Spam-Status: No, score=-1.391 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IXAxlb7c-zzM for <oauth@core3.amsl.com>; Mon, 21 Feb 2011 21:56:40 -0800 (PST)
Received: from nm15-vm0.bullet.mail.bf1.yahoo.com (nm15-vm0.bullet.mail.bf1.yahoo.com [98.139.212.254]) by core3.amsl.com (Postfix) with SMTP id 5116C3A6835 for <oauth@ietf.org>; Mon, 21 Feb 2011 21:56:40 -0800 (PST)
Received: from [98.139.212.152] by nm15.bullet.mail.bf1.yahoo.com with NNFMP; 22 Feb 2011 05:57:20 -0000
Received: from [98.139.212.217] by tm9.bullet.mail.bf1.yahoo.com with NNFMP; 22 Feb 2011 05:57:20 -0000
Received: from [127.0.0.1] by omp1026.mail.bf1.yahoo.com with NNFMP; 22 Feb 2011 05:57:20 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 93418.61310.bm@omp1026.mail.bf1.yahoo.com
Received: (qmail 51734 invoked by uid 60001); 22 Feb 2011 05:57:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1298354239; bh=lkJKqR7rZ89hGT+PVgqEcvyAl6GZ2JwWCvRuUmnaBrM=; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Oni82ELdqsdy9TgI0CpUliQ/4LdB7fIs4JEs+amS7FhP6hZNrzKb0SIozfy25a2E4Fr2s+ckcgls9Pmy+mhcG6wBpsCEwIb8Cc/Ptkk7L1btbvogDxzV/gkla9U3t53JxqxzkVlA64wn2Xl6AV2T3+CAA+IxzxzCE0ESsE8vRuY=
Message-ID: <862855.47753.qm@web55808.mail.re3.yahoo.com>
X-YMail-OSG: ZsKFA0IVM1mg1pxiFEGFpt4CXjlO.2cvArFuYLXfNdQcC5n H5hYe.RL0RMFjotTLlPMlXxyCiizLdBsHjWaFFjbYgjObCHQq1Jv6SYjZlWW .VYQATGgkebuVlFsQrvQ9qHb1Akqby90FMyaiCesM69i.YRNxdh5rIOOpBRD Hfm4xUMA5FPpxKWxtRkWxA9GktfeKZMPKAH6Lli1PxFf.xpqi5EX3DIQJNQM _owWUa6ZVFN_oedNn0c5BaMG83Bvl8MIk60qG9bmZ3X85NyVC2nS_X4R.lgY GIvww9QlwMBQt5o96H4rplzIHzmYJza6_ZsaCnEBJyL4GtgThZRIviVUxm12 PE.lF
Received: from [174.65.103.16] by web55808.mail.re3.yahoo.com via HTTP; Mon, 21 Feb 2011 21:57:19 PST
X-RocketYMMF: francisco_corella
X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.109.292656
Date: Mon, 21 Feb 2011 21:57:19 -0800
From: Francisco Corella <fcorella@pomcor.com>
To: OAuth WG <oauth@ietf.org>, Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <4D6165F1.6010401@lodderstedt.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-750971263-1298354239=:47753"
Cc: "Karen P. Lewison" <kplewison@pomcor.com>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-security-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: fcorella@pomcor.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2011 05:56:42 -0000
Hi Torsten, > 4.4.1.2. Threat: Eavesdropping authorization codes > > The OAuth specification does not describe any mechanism for > protecting authorization codes from eavesdroppers when they are > transmitted from the Service Provider to the Client and where the > Service Provider Grants an Access Token. > > Note: A description of a similar attack on the SAML protocol can be > found at http://www.oasis-open.org/committees/download.php/3405/ > oasis-sstc-saml-bindings-1.1.pdf (S.4.1.1.9.1). > > Countermeasures: > > o The authorization server SHOULD enforce a one time usage > restriction (see Section 5.1.5.4). Authorization server as well > as Resource server MUST ensure that these transmissions are > protected using transport-layer mechanisms such as TLS or SSL > (see Section 5.1.1). You are talking here about eavesdropping to obtain the authorization code. The authorization code is not sent to the resource servers. I agree that the authorization code must be protected by TLS when it is sent by the client to the authorization server. But it must ALSO be protected when it is sent by the browser to the client. (The connection from the browser to the client is easier to eavesdrop on than the connection from the client to the authorization server!) (It must also be protected when sent from the authorization server to the browser in the redirection response, which is probably the case anyway, since that's the response portion of the HTTP request that authenticates the user.) > ... > > 4.4.1.6. Threat: Authorization code phishing > > A hostile party could act as the client web server and get access to > the authorization code. This could be achieved using DNS or ARP > spoofing. Yes. > Impact: This affects web applications and may lead to a > disclosure of authorization codes and, potentially, the corresponding > access and refresh tokens. The attacker will not get the access and refresh tokens without the client_id, but doesn't need to. The attacker can impersonate the user, log in to the client if the protocol is used for social login as in "log in with Facebook", and use the client to obtain protected resources of the legitimate user and deliver them to the attacker. The attacker never sees an access token, but the client gets the access token and uses it for the benefit of the attacker. > Countermeasures: > > o The client shall authenticate the server using server > authentication - Section 5.1.2 Really????????? The browser is sending the authorization code to the client, and the attacker is using DNS or ARP spoofing to receive it instead of the client. To prevent this, what's needed is obviously authentication of the client by the browser, not authentication of the server by the client! > o The authorization server shall require the client to authenticate > with a secret, so the binding of the authorization code to a > certain client can be validated in a reliable way (see > Section 5.2.4.4). Client authentication to the server does not prevent the attack. The authorization code is a credential that provides access to the user's protected resources (via the client) and allows the user to log in to the client (in a social-login scenario). Sending it without TLS protection, as OAuth 2.0 does, is tantamount to sending a user password without TLS protection. If you are not convinced please read the message I sent you a few weeks ago, available at http://www.ietf.org/mail-archive/web/oauth/current/msg04900.html, and section 3.5.3 of the security analysis paper I announced earlier, available at http://www.pomcor.com/techreports/DoubleRedirection.pdf. (Section 3.5.3 refers to section 2; if you don't want to read the whole section 2, the relevant portion is the last three paragraphs of page 4.) Francisco
- Re: [OAUTH-WG] Fwd: New Version Notification for … Eran Hammer-Lahav
- [OAUTH-WG] Fwd: New Version Notification for draf… Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Eaton
- Re: [OAUTH-WG] Fwd: New Version Notification for … Francisco Corella
- Re: [OAUTH-WG] Fwd: New Version Notification for … Eran Hammer-Lahav
- Re: [OAUTH-WG] Fwd: New Version Notification for … Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Francisco Corella