Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

Sergey Beryozkin <sberyozkin@gmail.com> Wed, 06 February 2013 21:48 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CA5E21F85DF for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 13:48:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.333
X-Spam-Level:
X-Spam-Status: No, score=-3.333 tagged_above=-999 required=5 tests=[AWL=0.266, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-CD4tgtpO6E for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 13:48:50 -0800 (PST)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) by ietfa.amsl.com (Postfix) with ESMTP id 0D0E021F84D8 for <oauth@ietf.org>; Wed, 6 Feb 2013 13:48:49 -0800 (PST)
Received: by mail-wi0-f173.google.com with SMTP id hq4so6124427wib.6 for <oauth@ietf.org>; Wed, 06 Feb 2013 13:48:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=ZYXI5uko7xFjZNCQGtjBTp0Y+lA8adqjqeS6AyjKRtg=; b=C8s4cVilo0zb+Nem86peo2dVuM0QI2x0DSBQQ0TjPcu3fCEOPyrCWXteHQCz22ruCw mh54HdXsvpbNWEXEF7AS9S8blNSHl7maeOACoCHKD/Ntmhlh/Jiim+bvio5b4ZPwXnzH q6OmY/KLsAB5TD4eMUccgxVC/+Z3/4+qnmzfaFlx3BLosmOc1qbN3Pju1Gf7+xmtGLlb LWmrLIUsBJ2EUet3tqVAH5SVmc6UDneMXKRszJy7KhbYl2i67y20G7y8T245gmqO/dD6 V/Io6E26F0lM4PRX50LNm8C2sRbCF1ilBbw4OnHI6sUg98kG/JL1jjyjF6l5riVfNbD+ XrdA==
X-Received: by 10.180.108.3 with SMTP id hg3mr7267542wib.33.1360187328965; Wed, 06 Feb 2013 13:48:48 -0800 (PST)
Received: from [192.168.2.5] ([89.100.140.13]) by mx.google.com with ESMTPS id j9sm5416834wia.5.2013.02.06.13.48.47 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 06 Feb 2013 13:48:48 -0800 (PST)
Message-ID: <5112CFAF.4000609@gmail.com>
Date: Wed, 06 Feb 2013 21:48:31 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: oauth@ietf.org
References: <CAEeqsMat2_zoSCyx7uN373m1SMNGAz=QxEmVYWOYax=Ppt2LnQ@mail.gmail.com> <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com> <CAJV9qO_Zw3bO2L=m6AzhPGQF0B6T5_HOyuTzLTDiKGJGM=Wi7A@mail.gmail.com> <1360173369.63130.YahooMailNeo@web31810.mail.mud.yahoo.com>
In-Reply-To: <1360173369.63130.YahooMailNeo@web31810.mail.mud.yahoo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 21:48:51 -0000

On 06/02/13 17:56, William Mills wrote:
> Yes, MAC relies on SSL for transport security. But you have bigger
> problems than that if SSL is broken, because your primary authentication
> credential is compromised now.
>
+1
> Do we need to address sslstrip here if it's a general attack on SSL
> transport for the browser?
When MAC is passed back to the client requesting a token in exchange for 
a grant, no browser is even involved, right ? Besides, one can exchange 
MAC token over two-way TLS in order to authenticate and I guess it is 
much much trickier to have a man in the middle attack with two-way TLS

Cheers, Sergey

>
> ------------------------------------------------------------------------
> *From:* Prabath Siriwardena <prabath@wso2.com>
> *To:* William Mills <wmills_92105@yahoo.com>
> *Cc:* L. Preston Sego III <LPSego3@gmail.com>; "oauth@ietf.org"
> <oauth@ietf.org>
> *Sent:* Wednesday, February 6, 2013 8:23 AM
> *Subject:* Re: [OAUTH-WG] I'm concerned about how the sniffability of
> oauth2 requests
>
>
>
> On Mon, Feb 4, 2013 at 9:57 PM, William Mills <wmills_92105@yahoo.com
> <mailto:wmills_92105@yahoo.com>> wrote:
>
>     There are two efforts at signed token types: MAC which is still a
>     possibility if we wake up and do it, and the "Holder Of Key" type
>     tokens.
>
>
> If someone can use sslstrip then even MAC is not safe - since MAC key
> needs to be transferred over SSL to the Client from the AS.
>
> There are standard ways in HTTP to avoid or protect from sslstrip - IMHO
> we need to occupy those best practices...
>
> Thanks & regards,
> -Prabath
>
>
>     There are a lot of folks that agree with you.
>
>     ------------------------------------------------------------------------
>     *From:* L. Preston Sego III <LPSego3@gmail.com
>     <mailto:LPSego3@gmail.com>>
>     *To:* oauth@ietf.org <mailto:oauth@ietf.org>
>     *Sent:* Friday, February 1, 2013 7:37 AM
>     *Subject:* [OAUTH-WG] I'm concerned about how the sniffability of
>     oauth2 requests
>
>     In an oauth2 request, the access token is passed along in the
>     header, with nothing else.
>
>     As I understand it, oauth2 was designed to be simple for everyone to
>     use. And while, that's true, I don't really like how all of the
>     security is reliant on SSL.
>
>     what if an attack can strip away SSL using a tool such as sslstrip
>     (or whatever else would be more suitable for modern https)? They
>     would be able to see the access token and start forging whatever
>     request he or she wants to.
>
>     Why not do some sort of RSA-type public-private key thing like back
>     in Oauth1, where there is verification of the payload on each
>     request? Just use a better algorithm?
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Mobile : +94 71 809 6732
>
> http://blog.facilelogin.com
> http://RampartFAQ.com
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth