Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Michael Thomas <mike@mtcc.com> Wed, 04 January 2012 19:38 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 457B111E8095; Wed, 4 Jan 2012 11:38:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wy4oGL0A4ewF; Wed, 4 Jan 2012 11:38:32 -0800 (PST)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 1126E11E808F; Wed, 4 Jan 2012 11:38:32 -0800 (PST)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id q04JcM9q016967 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 4 Jan 2012 11:38:23 -0800
Message-ID: <4F04AAAE.6080702@mtcc.com>
Date: Wed, 04 Jan 2012 11:38:22 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
References: <CALaySJKhYQQdmjvWBLS3mwzzrDt35jfDn2xZCuDOk=hpwEUiKQ@mail.gmail.com> <CAC4RtVDyiuqCGO25nZQEVxi0uchTi2gu_peh=+FwmWwZsQ=LEQ@mail.gmail.com> <CAC4RtVCvnz7n9Ei08h7QRruesJ=GeOMOOvBkNAVmcc8_gzg7QQ@mail.gmail.com> <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com> <OF6C9EBE7C.1B053FE3-ON80257968.003C02DF-80257968.003CAA12@ie.ibm.com> <4EEB5BDD.7080401@mtcc.com> <4F038CB9.1040403@mtcc.com> <F674B8D6-54D6-4B39-A494-9D7EB6E058D6@oracle.com> <4F0394D6.1090006@mtcc.com> <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com>
In-Reply-To: <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=9821; t=1325705906; x=1326569906; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20WGLC=20on=20draft-ietf-oau th-v2-threatmodel-01,=20ends=209=0A=20Dec=202011 |Sender:=20 |To:=20Mark=20Mcgloin=20<mark.mcgloin@ie.ibm.com> |Content-Type:=20text/plain=3B=20charset=3DUTF-8=3B=20forma t=3Dflowed |Content-Transfer-Encoding:=208bit |MIME-Version:=201.0; bh=hfyL+NK8ICEEd5ke10njhIJsp1oSOlNrqRzQtZNy1/c=; b=N8uM+EDNpAwF/GPEl+84P9LjGQSpw1czx/w4Tkl0f2xd9S0JYRRN62BfEo 3HRaSsDbWn6Po7GjHaWTKXsff37YrmTPiMYZ5wMiDKxGQ6qjkxVkkSQq8v6s E6xQDv4XRW3zm6V2K/QikIAgsQkC1DpKquOAeNxS9/sBLwsVEdW7s=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 19:38:33 -0000

On 01/04/2012 03:42 AM, Mark Mcgloin wrote:
> Hi Michael
>
> Can you clearly word the threat for which this countermeasure (or lack of)
> applies

I've already done that in my original last call comments. Given that you
rejected my comments out of hand, it doesn't appear that it was for
lack of clarity.

Mike, rather put off by the attitude of the editors in this wg

>
>
> thanks
> Mark
>
> Michael Thomas<mike@mtcc.com>  wrote on 03/01/2012 23:52:54:
>
>> From:
>>
>> Michael Thomas<mike@mtcc.com>
>>
>> To:
>>
>> Phillip Hunt<phil.hunt@oracle.com>
>>
>> Cc:
>>
>> Mark Mcgloin/Ireland/IBM@IBMIE, Barry Leiba
>> <barryleiba@computer.org>, oauth WG<oauth@ietf.org>, "oauth-
>> bounces@ietf.org"<oauth-bounces@ietf.org>
>>
>> Date:
>>
>> 03/01/2012 23:53
>>
>> Subject:
>>
>> Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
> 2011
>> On 01/03/2012 03:46 PM, Phillip Hunt wrote:
>>> -1. I think you should be suggesting alternative text at this
>> stage. We all have same responsibilities here.
>>
>> My "responsibility", such as it is, is to bring up that the document's
>> threat mitigations suggested don't work. I am only a recent and
>> reluctant participant, versus the principals of this working group
>> who have been around for many years.
>>
>> But if you insist, here's my concise suggestion to that points that I
>> raised objections to:
>>
>> "No known mitigation exists."
>>
>> Mike
>>
>>> Phil
>>>
>>> On 2012-01-03, at 15:18, Michael Thomas<mike@mtcc.com>   wrote:
>>>
>>>> Barry -- It's now been two weeks and I haven't heard anything to
>>>> the objections I raised. It is not my responsibility to come up with
>>>> mitigation that works, it's the working group's. If there is no
> reasonable
>>>> mitigation it should just say that.
>>>>
>>>> Mike
>>>>
>>>> On 12/16/2011 06:55 AM, Michael Thomas wrote:
>>>>> On 12/16/2011 03:02 AM, Mark Mcgloin wrote:
>>>>>> Michael,
>>>>>>
>>>>>> I will review the comments from Phil where he suggests some changes
> in
>>>>>> section 4.1.4 of the threat model
>>>>>>
>>>>>> I am unclear exactly what you are proposing. If you want to propose
> a
>>>>>> clearly worded revamp of that section in the next couple of days, I
> am
>>>>>> willing to review and accept legitimate changes. Clearly worded
> means
>>>>>> concise, technically accurate and devoid of alarmist phrases
>> and words used
>>>>>> out of context, such as existential. Can I suggest you review with a
>>>>>> colleague before posting here.
>>>>> Barry -- I have gone through this section and made comments
>>>>> and was blown off seemingly without reading them at all, and
>>>>> now I'm being told to come up with text for which I can be blown
>>>>> off again: "Can I suggest you review..."
>>>>>
>>>>> The fact of the matter is that my comments say that the
>>>>> threats are understated and mitigations that are proposed do not
>>>>> work. It's not my job alone to fix this. It's the working group's.
>>>>> In fact if I were to propose text, it would be along the lines of
>>>>> "can't be mitigated" because I do not know how to fix them. If
>>>>> nobody else can come up with a better mitigation, then that
>>>>> *is* what should be there, not some hand waving nonsense that
>>>>> doesn't work.
>>>>>
>>>>> Mike, "instruct users..." feh
>>>>>
>>>>>> Regards
>>>>>> Mark
>>>>>>
>>>>>> oauth-bounces@ietf.org wrote on 15/12/2011 18:15:45:
>>>>>>
>>>>>>> From:
>>>>>>>
>>>>>>> Michael Thomas<mike@mtcc.com>
>>>>>>>
>>>>>>> To:
>>>>>>>
>>>>>>> Phil Hunt<phil.hunt@oracle.com>
>>>>>>>
>>>>>>> Cc:
>>>>>>>
>>>>>>> Barry Leiba<barryleiba@computer.org>, oauth WG<oauth@ietf.org>
>>>>>>>
>>>>>>> Date:
>>>>>>>
>>>>>>> 15/12/2011 18:16
>>>>>>>
>>>>>>> Subject:
>>>>>>>
>>>>>>> Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9
> Dec
>>>>>> 2011
>>>>>>> Sent by:
>>>>>>>
>>>>>>> oauth-bounces@ietf.org
>>>>>>>
>>>>>>> On 12/15/2011 09:54 AM, Phil Hunt wrote:
>>>>>>>> Note: one change recommended below...
>>>>>>>>
>>>>>>>> With regards to 4.1.4…
>>>>>>>> 4.1.4.  Threat: End-user credentials phished using compromised or
>>>>>>>>            embedded browser
>>>>>>>>
>>>>>>>>       A malicious application could attempt to phish end-user
> passwords
>>>>>> by
>>>>>>>>       misusing an embedded browser in the end-user
>> authorization process,
>>>>>>>>       or by presenting its own user-interface instead of
>> allowing trusted
>>>>>>>>       system browser to render the authorization user interface.
> By
>>>>>> doing
>>>>>>>>       so, the usual visual trust mechanisms may be bypassed (e.g.
> TLS
>>>>>>>>       confirmation, web site mechanisms).  By using an embedded or
>>>>>> internal
>>>>>>>>       client application user interface, the client application has
>>>>>> access
>>>>>>>>       to additional information it should not have access to (e.g.
> uid/
>>>>>>>>       password).
>>>>>>>>
>>>>>>>>
>>>>>>>> [mat] I think it's also worth mentioning either here, or in
> another
>>>>>>>> threat that there is a further social engineering misuse/attack
> where
>>>>>> an
>>>>>>>> app offers/demands to keep your credentials so that you don't have
> to
>>>>>> go
>>>>>>>> through the authorization rigmarole. Users are already conditioned
> to
>>>>>>>> give their credentials up to do things -- just this morning I
>>>>>>> noticed facebook
>>>>>>>> asking for my email password which they promise with sugar on top
> to
>>>>>> not
>>>>>>>> store. It might be worth mentioning that things like CAPTCHA could
> be
>>>>>>>> deployed to defend against that sort of attack/misuse.
>>>>>>>>
>>>>>>>> [Phil] I don't think we need to really add much here. We could
>>>>>>> write whole essays on this topic and likely will.
>>>>>>>> I think the point is simply to educate the client developer that
>>>>>>> there is no need for a client application to ever have access to a
>>>>>>> raw uid/password (or any other user credential).
>>>>>>>> [/Phi]
>>>>>>>>
>>>>>>> Remember: I came here not understanding whether this threat was
> real or
>>>>>> not.
>>>>>>> A threat document that can't be bothered to elaborate on one of the
>>>>>> biggest
>>>>>>> existential  threats to the protocol is worthless. The way it is
> worded
>>>>>>> now does
>>>>>>> not make it crystal clear that, yes, this means UIWebView's in
> iPhone
>>>>>>> apps, etc too.
>>>>>>> It should because it needs to scream: THIS THREAT APPLIES TO YOU,
> AUTH
>>>>>>> SERVER.
>>>>>>>
>>>>>>>
>>>>>>>> [snip]
>>>>>>>>
>>>>>>>>       Countermeasures:
>>>>>>>>
>>>>>>>>       o  Client developers and end-user can be educated to trust an
>>>>>>>>          external System-Browser only.
>>>>>>>>
>>>>>>>>
>>>>>>>> [mat] I assume that this is in here just for the amusement factor
>>>>>> because
>>>>>>>> it is not a credible countermeasure.
>>>>>>>>
>>>>>>>> [Phil] I agree, Firefox recently demonstrated how poorly users
>>>>>>> recognize the security signals in the browser by dropping the
> "lock"
>>>>>>> icon without announcement. When I found out, I had already been
>>>>>>> using it for some time and hadn't noticed.  This counter measure
>>>>>>> should be changed to:
>>>>>>>> o The OAuth flow is designed so that client applications never
>>>>>>> need to know user passwords. Where possible Client applications
>>>>>>> SHOULD avoid directly asking for user credentials during an
>>>>>>> authorization flow.
>>>>>>>> [/Phil]
>>>>>>>>
>>>>>>> The basic problem here is that the client app is not trusted. So if
> it's
>>>>>>> a bad
>>>>>>> actor this admonition will be ignored. If it's a good actor, there
>>>>>>> wasn't a threat
>>>>>>> in first place. So the mitigation completely misses the mark.
>>>>>>>
>>>>>>>>       o  Client applications could be validated prior publication
> in a
>>>>>>>>          application market.
>>>>>>>>
>>>>>>>> [mat] How would this be done in practice?
>>>>>>>> [Phil] I think this needs to change to:
>>>>>>>>
>>>>>>>> o Client applications could be validated for acceptable practices
>>>>>>> by the Resource Site provider prior to issuing production Client
>>>>>> Credentials.
>>>>>>> When, exactly, can we expect to see this in the field? Neither
> Twitter
>>>>>>> or Facebook
>>>>>>> do this. And even if they were so inclined, the draft provides
> exactly
>>>>>>> zero guidance
>>>>>>> as to what exactly that "validated" might mean in practice. The way
> I
>>>>>>> read this is:
>>>>>>> "we don't know how to mitigate this".
>>>>>>>> [/Phil]
>>>>>>>>       o  Client developers should not collect authentication
> information
>>>>>>>>          directly from users and should instead use redirects
>> to and back
>>>>>>>>          from a trusted external system-browser.
>>>>>>>>
>>>>>>>>
>>>>>>>> [mat] How would the resource/authentication server enforce such a
>>>>>> thing?
>>>>>>>> [Phil] This is a best practice for the client developer. [Phil]
>>>>>>>>
>>>>>>>>
>>>>>>> I don't even know what that means in the context of embedded apps.
>>>>>>> Has anybody even tried this? At the very least, an example flow
> might
>>>>>>> be useful for the uninitiated client developer.
>>>>>>>
>>>>>>> Mike
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
> >