[OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

"L. Preston Sego III" <LPSego3@gmail.com> Fri, 01 February 2013 15:37 UTC

Return-Path: <lt.sego@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 9373521E8053 for <oauth@ietfa.amsl.com>; Fri, 1 Feb 2013 07:37:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id qPzxHsvh8Gcw for <oauth@ietfa.amsl.com>; Fri, 1 Feb 2013 07:37:51 -0800 (PST)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id EAF7821E8030 for <oauth@ietf.org>; Fri, 1 Feb 2013 07:37:50 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id l6so2530163vcl.17 for <oauth@ietf.org>; Fri, 01 Feb 2013 07:37:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:sender:from:date:x-google-sender-auth :message-id:subject:to:content-type; bh=YMLhVN3AaUIxP/eZ83qFjhCAx1ns7EAxlrUnVqdyCHs=; b=riV5EOeMCKLezp5DSoxC1wW6bDBbtzAGxQu13rwcH7ivlv3tui0Rjka18YuZlao5Ny L4BXGe77OnqSfnFJuVlW/rTNwCQbfdK68M5mInk3V3gIpJr0VYbetgajzDva0HP8T2q5 tFIkAgzA6VFev2w6rSjBjYniEKtvsEUCl/d91Uoe3/3VX0l6ztxKkPP16EQ2fG8+untY AJ3k3x80314Lq1Ufn2Hiuz6Scm2DmL0KS8PdsLIyCqlh+mA8g1/6e1cFIciSHCE4V/wu ve32S/JLdDbCdEFBkOeCabvQOzDUWMCBJ41boj+i1h2a1DGOFkZTW7Bc2m4T/yJODeCf s3kQ==
X-Received: by with SMTP id dy9mr2330050vec.34.1359733070468; Fri, 01 Feb 2013 07:37:50 -0800 (PST)
MIME-Version: 1.0
Sender: lt.sego@gmail.com
Received: by with HTTP; Fri, 1 Feb 2013 07:37:30 -0800 (PST)
From: "L. Preston Sego III" <LPSego3@gmail.com>
Date: Fri, 01 Feb 2013 10:37:30 -0500
X-Google-Sender-Auth: 5JuKXMqcanwr07ZfspbkEwz37Wc
Message-ID: <CAEeqsMat2_zoSCyx7uN373m1SMNGAz=QxEmVYWOYax=Ppt2LnQ@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="047d7b5d8823a7961604d4ab8600"
X-Mailman-Approved-At: Mon, 04 Feb 2013 08:12:33 -0800
Subject: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Feb 2013 15:37:51 -0000

In an oauth2 request, the access token is passed along in the header, with
nothing else.

As I understand it, oauth2 was designed to be simple for everyone to use.
And while, that's true, I don't really like how all of the security is
reliant on SSL.

what if an attack can strip away SSL using a tool such as sslstrip (or
whatever else would be more suitable for modern https)? They would be able
to see the access token and start forging whatever request he or she wants

Why not do some sort of RSA-type public-private key thing like back in
Oauth1, where there is verification of the payload on each request? Just
use a better algorithm?