Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

Sergey Beryozkin <sberyozkin@gmail.com> Mon, 04 February 2013 16:57 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E6B221F8837 for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 08:57:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l25WZvL1Aoih for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 08:57:52 -0800 (PST)
Received: from mail-ee0-f47.google.com (mail-ee0-f47.google.com [74.125.83.47]) by ietfa.amsl.com (Postfix) with ESMTP id 6AFA121F8833 for <oauth@ietf.org>; Mon, 4 Feb 2013 08:57:52 -0800 (PST)
Received: by mail-ee0-f47.google.com with SMTP id e52so3303552eek.6 for <oauth@ietf.org>; Mon, 04 Feb 2013 08:57:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=JKbRTGZjkZaUhx6c65gOduZIKXKtF0uxwjInSrL7y48=; b=kaic8LjdFwNXQS+MJYXGL/RgUv12/KcZWELhRFkY5cudS0BBvV9cIIP588veml4vXv L2WzoDMOndp0JXwZvBTrIYZz97tycyjXusLzDp1D4N4tH9ZKDoZ/nWnNN+/3nHo2iZey XEEm/DcCePIFmsYI2NUaaZ5VB1qzgJFqjA0iysLZhVGF+nzuxPYUUQqOjuk5j3NLSnO3 b+3OAjRg7zvJ/mYzHkxJsmrfNFy1PgTEJJIAWphndtVeY02Ww6DW0xjm96unR/KPAmze dKY8mv3L3YZF9n91Gve3fiB00r7rSD53dNm3NqFH3oimiSbeZveXsFoBpKjpbZKbTHlg 0Y9w==
X-Received: by 10.14.173.65 with SMTP id u41mr73819312eel.13.1359997071352; Mon, 04 Feb 2013 08:57:51 -0800 (PST)
Received: from [10.36.226.5] ([217.173.99.61]) by mx.google.com with ESMTPS id a1sm2875700eep.2.2013.02.04.08.57.49 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 04 Feb 2013 08:57:50 -0800 (PST)
Message-ID: <510FE88B.9040200@gmail.com>
Date: Mon, 04 Feb 2013 16:57:47 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: oauth@ietf.org
References: <CAEeqsMat2_zoSCyx7uN373m1SMNGAz=QxEmVYWOYax=Ppt2LnQ@mail.gmail.com> <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com>
In-Reply-To: <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Feb 2013 16:57:53 -0000

On 04/02/13 16:27, William Mills wrote:
> There are two efforts at signed token types: MAC which is still a
> possibility if we wake up and do it,

I'd rephrase it slightly differently, it is a possibility right now, 
OAuth2 supports custom tokens, the fact that OAuth2 may not formally 
approve MAC won't preclude the use of MAC in the OAuth2 compliant manner.

Of course OAuth2 putting a stamp of approval will make it more visible, 
without it, the existing MAC draft issues (if any) will end up being 
addressed at the specific implementations level only - not ideal for the 
community at large but it is up to OAuth2...

Cheers, Sergey


> and the "Holder Of Key" type tokens.
>
> There are a lot of folks that agree with you.
>
> ------------------------------------------------------------------------
> *From:* L. Preston Sego III <LPSego3@gmail.com>
> *To:* oauth@ietf.org
> *Sent:* Friday, February 1, 2013 7:37 AM
> *Subject:* [OAUTH-WG] I'm concerned about how the sniffability of oauth2
> requests
>
> In an oauth2 request, the access token is passed along in the header,
> with nothing else.
>
> As I understand it, oauth2 was designed to be simple for everyone to
> use. And while, that's true, I don't really like how all of the security
> is reliant on SSL.
>
> what if an attack can strip away SSL using a tool such as sslstrip (or
> whatever else would be more suitable for modern https)? They would be
> able to see the access token and start forging whatever request he or
> she wants to.
>
> Why not do some sort of RSA-type public-private key thing like back in
> Oauth1, where there is verification of the payload on each request? Just
> use a better algorithm?
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth