Re: [OAUTH-WG] New header "Fragment-Scope" to prevent assertions leakage through redirects
isciurus <isciurus@gmail.com> Fri, 10 April 2015 23:38 UTC
Return-Path: <isciurus@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9BFD1A9039 for <oauth@ietfa.amsl.com>; Fri, 10 Apr 2015 16:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZnOLYvFFDN55 for <oauth@ietfa.amsl.com>; Fri, 10 Apr 2015 16:38:09 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71E9D1A903F for <oauth@ietf.org>; Fri, 10 Apr 2015 16:37:45 -0700 (PDT)
Received: by igblo3 with SMTP id lo3so9971467igb.0 for <oauth@ietf.org>; Fri, 10 Apr 2015 16:37:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=wXFKa0mRXNiT6uv+dudQxvb1eVdLYxZdakyrMyhNpUs=; b=mjYoVTt++Wtrj8Z+fwqfPGWnpbEfSbkko7Ufofo/MCEg/jO2gS5R34TVmxUL9wGWev OsIt6klot5fFeMDZPiT/TP1O4+8YyvyCncpDMNDiFkP4/53azGS/LTI6MO9mkjPDucPl 9JmWa8A3hyl9O48b0qC3YohhApLFuh8zDHa3kLXJcilibQH8AiIEpUIoxmSTPk3x0Wjh BdVZF1OK9AWhQh8jRPg+/QKUhu5q8Q2aSmQLZCoPByEJT9yQg1Jnt1FD6t6ljfshNP6l ilQmKwi6uswyzIUowvfl87WXvOfSiyCq6seAclHq2yLbjQ3mQ0FGjrkenCgyUowYI8EP okHw==
X-Received: by 10.50.43.136 with SMTP id w8mr1815302igl.26.1428709064941; Fri, 10 Apr 2015 16:37:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.2.202 with HTTP; Fri, 10 Apr 2015 16:37:24 -0700 (PDT)
In-Reply-To: <A50AE169-85A3-46DE-AA24-8810B36970EA@ve7jtb.com>
References: <CAAJG_r9yM0okfWyVm0vMSXrrPJigmGWDoF3VeW8X1f=4Xso_Fg@mail.gmail.com> <A50AE169-85A3-46DE-AA24-8810B36970EA@ve7jtb.com>
From: isciurus <isciurus@gmail.com>
Date: Fri, 10 Apr 2015 16:37:24 -0700
Message-ID: <CAAJG_r9f6Z6hjq696u0wHN9-YvHcyo9SWMLd2aurHqKJtGBEgw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="089e011602a84daa020513674039"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/HejaOfeKeZ8PEaZ2O-iPb2pq4aw>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New header "Fragment-Scope" to prevent assertions leakage through redirects
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 23:38:12 -0000
I would also be interested to know about the possible response headers for referrer (a draft?). Last time we brainstormed the problem with Brad Hill we thought it could break something with search engines flow and referrer policy. > I have tried to document the response headers that can help stop leaking referrer. On Fri, Apr 10, 2015 at 4:08 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > Thanks, > > I have tried to document the response headers that can help stop leaking > referrer. > > Being able to do the same thing to stop fragment leaking would be a good > thing. > > If the W3C adds that then I would add it to our recommendations. > > In the Interim without browser support we may need to look at other > methods to pass tokens to clients in the browser. > > I am certainly interested in tracking your proposal. > > John B. > > On Apr 10, 2015, at 4:00 PM, isciurus <isciurus@gmail.com> wrote: > > Hi, > > One of the recent drafts > https://tools.ietf.org/id/draft-bradley-oauth-open-redirector-01.html was > brought to my attention. Regarding the part "2.2. Security Compromise: The > Authorization Server As Open Redirector": > > The legitimate OAuth Authorization response will include an access > token in the URI fragment. > Most web browsers will append the fragment to the URI sent in the > location header of a 302 response if no fragment is included in the > location URI. > > This browser behaviour with a url fragment reattaching is indeed used > widely in attacks on OAuth (for example, one of the recent on the bitcoin > exchange > http://sakurity.com/blog/2015/01/10/hacking-bitcoin-exchanger.html) and I > am also aware of one attack on OpenID 2 implementation leaking a valid > signature using the same technique. > We are trying to propose a browser-level protection from sensitive url > fragment data reattach on cross-domain redirects: > http://lists.w3.org/Archives/Public/ietf-http-wg/2015JanMar/0066.html > A new header in the AS response would also block fragment reattach in the > following scenario: > > https://AUTHORIZATION_SERVER/authorize?response_type=token > <https://authorization_server/authorize?response_type=token> > &client_id=good-client&scope=VALID_SCOPE > &redirect_uri=https%3A%2F%2AUTHORIZATION_SERVER%Fauthorize > %3Fresponse_type%3Dcode > %26client_id%3Dattacker-client-id > %26scope%3DINVALID_SCOPE > %26redirect_uri%3Dhttps%253A%252F%252Fattacker.com > > But it would additionally block exploitation of vulnerable clients which > have open redirects on their domains and don't whitelist their redirect_uri: > > https://AUTHORIZATION_SERVER/authorize?response_type=token > <https://authorization_server/authorize?response_type=token> > &client_id=good-client&scope=VALID_SCOPE > &redirect_uri=https%3A%2F%2good-client.com%Fopen_redirect > %3Furl%3Dhttps%253A%252F%252Fattacker.com > > This can improve the situation with already deployed clients in large > scale. Let me know if this proposal is interesting to the OAuth WG. > > Thanks, > Andrey > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >