Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Phil Hunt <> Thu, 15 December 2011 17:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6417B21F85FF for <>; Thu, 15 Dec 2011 09:54:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aO-OSiYePsdl for <>; Thu, 15 Dec 2011 09:54:27 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4B19A21F85A8 for <>; Thu, 15 Dec 2011 09:54:27 -0800 (PST)
Received: from ( []) by (Switch-3.4.4/Switch-3.4.4) with ESMTP id pBFHsNps027398 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 15 Dec 2011 17:54:24 GMT
Received: from ( []) by (8.14.4+Sun/8.14.4) with ESMTP id pBFHsM9r027817 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 15 Dec 2011 17:54:22 GMT
Received: from ( []) by ( with ESMTP id pBFHsM3G026077; Thu, 15 Dec 2011 11:54:22 -0600
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 15 Dec 2011 09:54:21 -0800
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="windows-1252"
From: Phil Hunt <>
In-Reply-To: <>
Date: Thu, 15 Dec 2011 09:54:44 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Barry Leiba <>
X-Mailer: Apple Mail (2.1251.1)
X-Source-IP: []
X-CT-RefId: str=0001.0A090202.4EEA3450.00C3,ss=1,re=0.000,fgs=0
Cc: oauth WG <>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 15 Dec 2011 17:54:28 -0000

Note: one change recommended below...

With regards to 4.1.4…
4.1.4.  Threat: End-user credentials phished using compromised or
        embedded browser

   A malicious application could attempt to phish end-user passwords by
   misusing an embedded browser in the end-user authorization process,
   or by presenting its own user-interface instead of allowing trusted
   system browser to render the authorization user interface.  By doing
   so, the usual visual trust mechanisms may be bypassed (e.g.  TLS
   confirmation, web site mechanisms).  By using an embedded or internal
   client application user interface, the client application has access
   to additional information it should not have access to (e.g. uid/

[mat] I think it's also worth mentioning either here, or in another
threat that there is a further social engineering misuse/attack where an
app offers/demands to keep your credentials so that you don't have to go
through the authorization rigmarole. Users are already conditioned to
give their credentials up to do things -- just this morning I noticed facebook
asking for my email password which they promise with sugar on top to not
store. It might be worth mentioning that things like CAPTCHA could be
deployed to defend against that sort of attack/misuse.

[Phil] I don't think we need to really add much here. We could write whole essays on this topic and likely will. 

I think the point is simply to educate the client developer that there is no need for a client application to ever have access to a raw uid/password (or any other user credential).  




   o  Client developers and end-user can be educated to trust an
      external System-Browser only.

[mat] I assume that this is in here just for the amusement factor because
it is not a credible countermeasure.

[Phil] I agree, Firefox recently demonstrated how poorly users recognize the security signals in the browser by dropping the "lock" icon without announcement. When I found out, I had already been using it for some time and hadn't noticed.  This counter measure should be changed to:

o The OAuth flow is designed so that client applications never need to know user passwords. Where possible Client applications SHOULD avoid directly asking for user credentials during an authorization flow.

   o  Client applications could be validated prior publication in a
      application market.

[mat] How would this be done in practice?
[Phil] I think this needs to change to:

o Client applications could be validated for acceptable practices by the Resource Site provider prior to issuing production Client Credentials.

   o  Client developers should not collect authentication information
      directly from users and should instead use redirects to and back
      from a trusted external system-browser.

[mat] How would the resource/authentication server enforce such a thing?

[Phil] This is a best practice for the client developer. [Phil]




On 2011-12-15, at 6:30 AM, Barry Leiba wrote:

>> Working group last call begins today on the threat model document:
>> Please review this version and post last call comments by 9 December.
> Sorry, folks: I got a little behind here.
> Working-group last call is now over.  There were no comments in
> response to this thread, so it looks like we're mostly done here.
> Mike Thomas pointed out to me that his message here:
> ...was in reference to this document -- that might not have been clear
> because of the change in subject line.  Torsten, et al, consider that
> message to be your only working-group last call comment, and handle it
> accordingly.  When that's worked out and there's another version, we
> should be ready to send this up to the IESG.
> Barry, as chair
> _______________________________________________
> OAuth mailing list