Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
Prateek Mishra <prateek.mishra@oracle.com> Mon, 04 February 2013 16:35 UTC
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 790F221F8929 for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 08:35:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id snvDCVXnFmdL for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 08:35:31 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id D34A221F8922 for <oauth@ietf.org>; Mon, 4 Feb 2013 08:35:31 -0800 (PST)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r14GZSue006326 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 4 Feb 2013 16:35:29 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r14GZPJj022601 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 4 Feb 2013 16:35:25 GMT
Received: from abhmt112.oracle.com (abhmt112.oracle.com [141.146.116.64]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r14GZPDC002280; Mon, 4 Feb 2013 10:35:25 -0600
Received: from [10.152.55.88] (/10.152.55.88) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 04 Feb 2013 08:35:24 -0800
Message-ID: <510FE34B.1080601@oracle.com>
Date: Mon, 04 Feb 2013 11:35:23 -0500
From: Prateek Mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: oauth@ietf.org, LPSego3@gmail.com
References: <CAEeqsMat2_zoSCyx7uN373m1SMNGAz=QxEmVYWOYax=Ppt2LnQ@mail.gmail.com> <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com>
In-Reply-To: <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com>
Content-Type: multipart/alternative; boundary="------------070808080201080307040306"
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Feb 2013 16:35:32 -0000
Can you explain how SSLstrip could be used to defeat the OAuth flows? Isn't it dependent on web pages with non-HTTPs links? Which step in the OAuth exchanges would be vulnerable? BTW, there is a threats analysis document that discusses a variety of attacks and countermeasures - http://datatracker.ietf.org/doc/rfc6819/ > There are two efforts at signed token types: MAC which is still a > possibility if we wake up and do it, and the "Holder Of Key" type tokens. > > There are a lot of folks that agree with you. > > ------------------------------------------------------------------------ > *From:* L. Preston Sego III <LPSego3@gmail.com> > *To:* oauth@ietf.org > *Sent:* Friday, February 1, 2013 7:37 AM > *Subject:* [OAUTH-WG] I'm concerned about how the sniffability of > oauth2 requests > > In an oauth2 request, the access token is passed along in the header, > with nothing else. > > As I understand it, oauth2 was designed to be simple for everyone to > use. And while, that's true, I don't really like how all of the > security is reliant on SSL. > > what if an attack can strip away SSL using a tool such as sslstrip (or > whatever else would be more suitable for modern https)? They would be > able to see the access token and start forging whatever request he or > she wants to. > > Why not do some sort of RSA-type public-private key thing like back in > Oauth1, where there is verification of the payload on each request? > Just use a better algorithm? > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I'm concerned about how the sniffabili… L. Preston Sego III
- Re: [OAUTH-WG] I'm concerned about how the sniffa… William Mills
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Prateek Mishra
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Sergey Beryozkin
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Lewis Adam-CAL022
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Hannes Tschofenig
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Prabath Siriwardena
- Re: [OAUTH-WG] I'm concerned about how the sniffa… William Mills
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Prabath Siriwardena
- Re: [OAUTH-WG] I'm concerned about how the sniffa… Sergey Beryozkin