Re: [OAUTH-WG] Open redirector feedback (Yaron Goland)
Eran Hammer-Lahav <eran@hueniverse.com> Tue, 16 August 2011 22:38 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72E0811E80BB for <oauth@ietfa.amsl.com>; Tue, 16 Aug 2011 15:38:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.554
X-Spam-Level:
X-Spam-Status: No, score=-2.554 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cPfmst7ufqki for <oauth@ietfa.amsl.com>; Tue, 16 Aug 2011 15:38:21 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 5DA6711E80B8 for <oauth@ietf.org>; Tue, 16 Aug 2011 15:38:21 -0700 (PDT)
Received: (qmail 12789 invoked from network); 16 Aug 2011 22:39:08 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 16 Aug 2011 22:39:08 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Tue, 16 Aug 2011 15:38:57 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "William J. Mills" <wmills@yahoo-inc.com>
Date: Tue, 16 Aug 2011 15:37:41 -0700
Thread-Topic: [OAUTH-WG] Open redirector feedback (Yaron Goland)
Thread-Index: AcxcZPVlLb9amO8eSFeHN7gZX3p+cQAACECQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234502498D235@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E7234502498D202@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1313534194.51222.YahooMailNeo@web31801.mail.mud.yahoo.com>
In-Reply-To: <1313534194.51222.YahooMailNeo@web31801.mail.mud.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234502498D235P3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Open redirector feedback (Yaron Goland)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2011 22:38:22 -0000
Ok. From: William J. Mills [mailto:wmills@yahoo-inc.com] Sent: Tuesday, August 16, 2011 3:37 PM To: Eran Hammer-Lahav; OAuth WG Subject: Re: [OAUTH-WG] Open redirector feedback (Yaron Goland) I like it, but I think using "phishing attacks" is too limited. I suggest changing "phishing attacks" to "by an attacker" ________________________________ From: Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> To: OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>> Sent: Tuesday, August 16, 2011 2:44 PM Subject: [OAUTH-WG] Open redirector feedback (Yaron Goland) Moved here to help discuss. > 3.1.2.4. Invalid Endpoint: Comment on “open redirector”: “How many people > even know what the heck an open redirector is? I think we need a section in > the security considerations section that defines what an open redirector is > and why it’s bad. Alternatively a normative reference to a complete > definition somewhere else is also fine.” Added new section and reference to it: 10.15. Open Redirectors The authorization server authorization endpoint and the client redirection endpoint can be improperly configured and operate as open redirectors. An open redirector is an endpoint using a parameter to automatically redirect a user-agent to the location specified by the parameter value without any validation. Open redirectors can be used in phishing attacks to get end-users to visit malicious sites by making the URI's authority look like a familiar and trusted destination. In addition, if the authorization server allows the client to register only part of the redirection URI, an attacker can use an open redirector operated by the client to construct a redirection URI that will pass the authorization server validation but will send the authorization code or access token to an endpoint under the control of the attacker. _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Open redirector feedback (Yaron Goland) Eran Hammer-Lahav
- Re: [OAUTH-WG] Open redirector feedback (Yaron Go… William J. Mills
- Re: [OAUTH-WG] Open redirector feedback (Yaron Go… Eran Hammer-Lahav