Re: [OAUTH-WG] problem statement

[Michael Thomas <mike@mtcc.com>]

Justin Richer wrote:
> Mike,
> 
> I think this is a red herring. as this vector has nothing to do with
> mobile apps. The attack that you've suggested is also possible with a
> compromised browser on a desktop using the web flow. In this case, the
> browser (UA) can steal the user's credentials and hand them to whoever
> they want to when the user gets redirected. It doesn't have to be the
> OAuth client that's phishing the credentials, after all. 

Absolutely. I only brought it up because that is what I was working on.

> OAuth *does* work with phone apps, and it's a misnomer to say that it's
> not a good idea in such environments. In all cases, you have to trust
> the user agent and all of the mechanisms that let the user log into the
> host site. But you have to do that in order to let the user log into the
> host site at all. Fixing that is a larger problem for the web as a whole
> and ultimately outside of OAuth.

Except in the desktop web world, I choose from a *tiny* set of browsers:
chrome, firefox, opera, and, uh, ie. To a lesser or greater extent, I don't
expect that the browsers themselves are malicious. Which is a pretty ok
assumption.

With embedded web views, that assumption goes out the window. There are
100's of thousands of apps, all of which can use webviews. I have no way
to know if a given app is evil or not, and *lots* of apps provide facebook
and twitter integration. Not because they're evil, but because that's what's
expected by users. So the use model of oauth in this case is *very* different
than the desktop use case.

But I'm being told that use cases aren't the problem of oauth. I'd say that
there has all along been a hidden assumption that the browser was
a trusted entity. Since it isn't always, it should be very explicit in the
protocol, threats, and security considerations of what could happen if it's
not.

Mike, frankly this is why apps do suck but i'm not king of the world

> 
>  -- Justin
> 
> On Tue, 2011-09-06 at 15:28 -0400, Michael Thomas wrote:
>> Melinda Shore wrote:
>>> On 09/06/2011 11:11 AM, Jill Burrows wrote:
>>>> I repeat, it is not an OAuth problem.
>>> If I'm reading Mike correctly (and if I'm not it won't be the
>>> first time I've misunderstood him), he's not really asking for
>>> OAUTH to solve this particular problem but to clarify the
>>> documents and beef up discussions of what is and is not in
>>> scope.  He read the document and couldn't figure out whether
>>> or not this particular problem is the business of the working
>>> group.
>> I'm fairly certain that if somebody were deploying oauth for their servers
>> that unless the document told me that oauth doesn't provide protection
>> against third party snooping if it's embedded in any app, most people wouldn't
>> have a clue that that was a dangerous assumption.
>>
>> What this says is that oauth only works in one use case, and that only the
>> user can tell the difference. Given the proliferation of phone apps and
>> embedded webviews, it seems that the original assumptions of oauth are
>> no longer up to date.
>>
>> Mike
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>