Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Michael Thomas <> Thu, 05 January 2012 00:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4585A11E80EA for <>; Wed, 4 Jan 2012 16:39:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id f6bgHZstwi18 for <>; Wed, 4 Jan 2012 16:39:22 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 6C58511E80D7 for <>; Wed, 4 Jan 2012 16:39:22 -0800 (PST)
Received: from ( []) (authenticated bits=0) by (8.14.3/8.14.3) with ESMTP id q050dG1R024772 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 4 Jan 2012 16:39:16 -0800
Message-ID: <>
Date: Wed, 04 Jan 2012 16:39:16 -0800
From: Michael Thomas <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20090605 Thunderbird/ Mnenhy/
MIME-Version: 1.0
To: Eran Hammer-Lahav <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <90C41DD21FB7C64BB94121FBBC2E723453A72D09B9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453A72D09B9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3230; t=1325723958; x=1326587958; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;;; z=From:=20Michael=20Thomas=20<> |Subject:=20Re=3A=20[OAUTH-WG]=20WGLC=20on=20draft-ietf-oau th-v2-threatmodel-01,=20ends=209=0A=20Dec=202011 |Sender:=20 |To:=20Eran=20Hammer-Lahav=20<> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=H0Csd9lPQnrauQ4LdAODSb/6Yt2avsmimEWC9fmzVvo=; b=qcCPA4V/mspemuREXIG0ftupEVCJ4JeubPsqnzAWV9pVNFwuMHRfByTYzu 3OKYDOKFN0LStlC5803q7+dI+eHauVuBJ0DA/EtlyTxrl2IGpoIxdx8tb4Rj MDDcjrxhi+kJatca2TG1jv1h4M3zUHwDvlDu5vOas8RSYiBx07Gso=;
Authentication-Results: ; v=0.1; dkim=pass ( sig from verified; ); dkim-asp=pass
Cc: oauth WG <>, Barry Leiba <>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Jan 2012 00:39:23 -0000

On 01/04/2012 04:05 PM, Eran Hammer-Lahav wrote:
>> -----Original Message-----
>> From: [] On Behalf
>> Of Michael Thomas
>> Sent: Wednesday, January 04, 2012 3:40 PM
>> My concern is that putting on a veneer of "security" will lull people into
>> thinking "Oh, it's safe to enter my credentials here because this is really
>> twitterbook, not evilapp!". When I had to ask them directly to put their
>> twitterbook credentials into my app, there at least wasn't any confusion that
>> I had access to them.
> This is ridiculous (e.g. the fact we are still discussing this).
> First, end users know nothing about security or OAuth. Second, evil apps can create this veneer of security by faking a redirection flow with or without OAuth. Suggesting that OAuth (which is a de-facto web pattern for over a decade) makes anything worse is patently false.
> The only thing we can possibly add to the threat model document is to mention that "OAuth does not provide any protection against malicious applications and that the end user is solely responsible for the trustworthiness of any native application installed". That is accurate (and completely obvious to the target audience of this document). It is not very helpful but if it will make you feel better (since no one else here seems to share your concerns), I have no objection to such one line added.
> And again, to highlight the absurdity of your security claim, it is equally important to warn developers in earthquake-prone countries to put enough distance between the Approve and Deny buttons so that the user will not accidentally hit Approve during a tremor.

It's this kind of hostility and ad hominem that leads me to believe that
you have forgotten some of your lessons in charm school.

For one, I am not the only one and even if I were that would still not be
a reason to shoot the messenger. Secondly it is *not* the sole responsibility
of the end user: the authentication server absolutely has a part to play
here too. They have to give out client keys, after all, and its their service
that could be hacked. So they have as much if not more responsibility
than the end user.

So to Bill's request here is the text I would propose.

"Native apps, not limited to, but including apps which are available on popular
mobile app stores, have the potential for gaining access to the end user's credentials.
This can be accomplished by gaining access to browser UI components and key logging,
spoofing the look and feel of an authentication server's authentication page, and
potentially many other social engineering attacks. The potential for these attacks
exist in many existing OAUTH2 deployments including but not limited to Facebook
and Twitter.

Given these threats, authentication servers MUST NOT give clients access
to authentication services -- and by extension to resource services -- unless the
authentication service can thoroughly vet the trustworthiness of the client. How
that vetting is achieved is outside of the scope of this document, but the current
practice of freely giving client keys to any would-be OAUTH client is not sufficient."