IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Michael Thomas <mike@mtcc.com> Tue, 06 September 2011 19:20 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7559F21F8DDE for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 12:20:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sd7Bl3lS+QbW for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 12:20:35 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 1586821F8D57 for <oauth@ietf.org>; Tue, 6 Sep 2011 12:20:35 -0700 (PDT)
Received: from piolinux.mtcc.com (65-165-164-246.volcano.net [65.165.164.246]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id p86JMJCr021176 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 6 Sep 2011 12:22:20 -0700
Message-ID: <4E6672E7.6040305@mtcc.com>
Date: Tue, 06 Sep 2011 12:22:15 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080501)
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <CA8BBD69.193BE%eran@hueniverse.com>
In-Reply-To: <CA8BBD69.193BE%eran@hueniverse.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=10702; t=1315336941; x=1316200941; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20problem=20statement |Sender:=20 |To:=20Eran=20Hammer-Lahav=20<eran@hueniverse.com> |Content-Type:=20text/plain=3B=20charset=3Dwindows-1252=3B= 20format=3Dflowed |Content-Transfer-Encoding:=208bit |MIME-Version:=201.0; bh=ud+uVIf3ScgIHebyQ/e2vlwkuAkwKihdU0Yx6IcmEm0=; b=XAIdd+RABt2Lv2//jeZk3Ox1zpnegYa+7i7PI2PwhGZv6qhBIc8z5QupLz jLQc2MyAlvl0V+91tmlZxRmer5bxu9oeStSJMxwF1CBT30Vpsxpgse6e6HBe bsdJfFC2J5LWb+YpsCFVzhHfmSv2QGWWTX9hyh26vXyBLOwgFO0/Q=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2011 19:20:36 -0000

Eran Hammer-Lahav wrote:
> You are one making the argument that no one should be installing apps.
> 
> There is no known way to stop users from installing malware and viruses 
> other than not letting them install anything off a whitelist. The 
> problem you are describing has nothing to do with OAuth, its a 
> fundamental problem with running untrusted code on your devices. Once 
> you do that, yes, OAuth can be exploited but that's true for every 
> authentication scheme when one side is compromised.
> 
> My point, which you seems to miss, is that the same argument can be made 
> against any other protocol. TLS offers your certain protections but they 
> are all gone if you install a bad native app – following your logic 
> people should not use TLS in apps either.

I haven't missed the issue. OAuth is fundamentally trying to make an assertion
that it protects you from third party snooping. Except that it doesn't in some
large use cases. As far as I can tell that's not documented anywhere. How many
oauth server-owners know that their users have this vulnerability?

> I do not consider this an issue.

That's the real problem here.

Mike

> 
> EHL
> 
> From: Michael Thomas <mike@mtcc.com <mailto:mike@mtcc.com>>
> Date: Tue, 6 Sep 2011 11:58:11 -0700
> To: Eran Hammer-lahav <eran@hueniverse.com <mailto:eran@hueniverse.com>>
> Cc: "igor.faynberg@alcatel-lucent.com 
> <mailto:igor.faynberg@alcatel-lucent.com>" 
> <igor.faynberg@alcatel-lucent.com 
> <mailto:igor.faynberg@alcatel-lucent.com>>, "oauth@ietf.org 
> <mailto:oauth@ietf.org>" <oauth@ietf.org <mailto:oauth@ietf.org>>
> Subject: Re: [OAUTH-WG] problem statement
> 
>     Eran Hammer-Lahav wrote:
> 
>         I'm dismissive of this being an OAuth problem. 
> 
> 
>     Which brings us back to my original problem: what is the problem
>     it's trying to solve?
>     What are the assumptions it makes? What is its applicability? None
>     of those are addressed
>     very well if at all in the drafts. I'm sure that I'm not the only
>     one who would be very
>     surprised to hear that using oauth on a phone app is a bad idea.
> 
>     Put it this way: your favorite example of a photo printing service
>     needing access to flickr.
>     It's ok if you do that from a browser, but not if the photo printer
>     makes an app. How many users,
>     exactly, are going to know that they shouldn't do the second one?
> 
>     I think that's an oauth problem because oauth makes it *seem* like
>     you're protected from
>     the third party, whereas if the app itself asked for your login
>     credentials there would
>     be far less confusion. So in that sense, oauth is making things
>     worse, not better.
> 
>     Mike
> 
>         EHL
>         On Sep 6, 2011, at 11:35, "Michael Thomas" <mike@mtcc.com
>         <mailto:mike@mtcc.com>> wrote:
> 
>             Eran Hammer-Lahav wrote:
> 
>                 Don't install crap on you device or computer. OAuth is
>                 the least of your concern if you install bad software.
> 
>                 If there was a solution to this we would not need an
>                 antivirus. 
> 
>             How exactly does an end user know what is "crap" or not? Or
>             are you just dismissive of apps in
>             general? I don't think that apple and google are going to
>             close up shop because it breaks oauth's
>             trust model.
> 
>             Mike
> 
>                 EHL
> 
>                 On Sep 6, 2011, at 11:23, "Michael Thomas"
>                 <mike@mtcc.com <mailto:mike@mtcc.com>> wrote:
> 
>                     Eran Hammer-Lahav wrote:
> 
>                         I agree. If you are going to install a native
>                         app, you better trust it not to do bad things.
>                         Grabbing your password is the least interesting
>                         thing such an app can abuse. I don't see any
>                         need to change the v2 draft. 
> 
>                     How, exactly, is the user supposed to protect
>                     themselves against rogue apps?
>                     It sounds like the solution is to tell them to never
>                     use oauth in an app at all.
> 
>                     Is oauth only intended to be used on standalone
>                     trustable web browsers? I don't recall
>                     seeing that anywhere.
> 
>                     Mike
> 
>                         EHL
> 
>                         On Sep 6, 2011, at 11:10, "Igor Faynberg"
>                         <igor.faynberg@alcatel-lucent.com
>                         <mailto:igor.faynberg@alcatel-lucent.com>> wrote:
> 
>                             Mike,
> 
>                             You've got the problem statement right:
>                             allowing the user to authorize  
>                             resource access to another party without
>                             divulging user's credentials is
>                             the objective of OAuth. You are also right
>                             in that the attack you have
>                             described defies the whole purpose of
>                             OAuth.  I do not think though that
>                             it is related to OAuth per se.
> 
>                             To this end, the security work led by
>                             Torsten has thoroughly analyzed
>                             the protocol and specified protection
>                             against multiple protocol
>                             attacks.  From what you described, it
>                             appears to me that the attack you
>                             mention is not related to the protocol but
>                             rather to the user's
>                             environment.  There is no possible
>                             protection from key loggers that a
>                             protocol can implement. I could be mistaken;
>                             in any case, it looks like
>                             the problem rests with the implementation of
>                             WebView.
> 
>                             If I am wrong, I would appreciate a detailed
>                             description of what happened.
> 
>                             Igor
> 
>                             On 9/6/2011 1:40 PM, Michael Thomas wrote:
> 
>                                 Hi all,
> 
>                                 Barry suggested that I might subscribe
>                                 and explain what I sent him.
> 
>                                 My basic problem is that in neither the
>                                 protocol nor the threats drafts,
>                                 I can't seem to find what problem is
>                                 actually trying to be solved with
>                                 oauth, and what assumptions you're
>                                 making about various elements.
> 
>                                 Here's what I did. I've written an app,
>                                 and I wanted re-integrate the
>                                 ability to send tweets after they
>                                 deprecated Basic. So the app has a
>                                 webView (android, iphone...) which it
>                                 obviously completely controls.
>                                 With oauth, the webview UA will
>                                 ultimately redirect off to Twitter's
>                                 site to collect the user's credentials
>                                 and grant my app's backend an
>                                 access token (sorry if I get terminology
>                                 screwed up, i'm just coming
>                                 up to speed).
> 
>                                 What occurs to me is that webview
>                                 affords exactly zero protection from
>                                 my client (ie, the app) from getting the
>                                 user's twitter credentials. All
>                                 I have to do is set up a keypress
>                                 handler on that webview and in a few
>                                 minutes of hacking I have a key logger. etc.
> 
>                                 So what I can't tell is whether this is
>                                 a "problem" or not, because I
>                                 don't know what problem you're trying to
>                                 solve. If the object of oauth
>                                 isn't to keep user/server credentials
>                                 out of the hands of a third party,
>                                 then what is it trying to solve? Is
>                                 there an expectation that the
>                                 UA is trusted by the user/server? What
>                                 happens when that's not the case?
> 
>                                 Regardless of whether I'm
>                                 misunderstanding, it would sure be nice
>                                 to have
>                                 both the problem and your assumptions
>                                 laid out, hopefully with some
>                                 prominence
>                                 so you don't get these sort of dumb
>                                 questions.
> 
>                                 Mike
>                                 _______________________________________________
>                                 OAuth mailing list
>                                 OAuth@ietf.org <mailto:OAuth@ietf.org>
>                                 https://www.ietf.org/mailman/listinfo/oauth
> 
>                             _______________________________________________
>                             OAuth mailing list
>                             OAuth@ietf.org <mailto:OAuth@ietf.org>
>                             https://www.ietf.org/mailman/listinfo/oauth
> 
>                         _______________________________________________
>                         OAuth mailing list
>                         OAuth@ietf.org <mailto:OAuth@ietf.org>
>                         https://www.ietf.org/mailman/listinfo/oauth
> 
> 
>

v2.23.0 | Report a Bug | By Email