IETF Logo Mail Archive

Re: [OAUTH-WG] why are we signing?

John Panzer <jpanzer@google.com> Tue, 10 November 2009 00:33 UTC

Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6110D3A6955 for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 16:33:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yTf6ibxE7mwz for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 16:33:47 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.45.13]) by core3.amsl.com (Postfix) with ESMTP id 0F3403A68B0 for <oauth@ietf.org>; Mon, 9 Nov 2009 16:33:47 -0800 (PST)
Received: from zps37.corp.google.com (zps37.corp.google.com [172.25.146.37]) by smtp-out.google.com with ESMTP id nAA0YCXW030483 for <oauth@ietf.org>; Mon, 9 Nov 2009 16:34:12 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1257813252; bh=YqvE1MJkQJw/2fbSUinOejVhTXM=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=jmEAtkR6AK6Oy1gpKORW65bgEKdc7r98zees2L+5eUzkMuvo00vQWq9E80zNfyk5D tYyrzwAjRnFKRmaTr2nWg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=iZBsYAl5BdGD/aPZEyqAwlhkZ5PoREDYQUgp/o5XgME0Daedx//Qs94bZe5O6rDcz 7DeLyFFqTUzy8J5KtbLMA==
Received: from pzk4 (pzk4.prod.google.com [10.243.19.132]) by zps37.corp.google.com with ESMTP id nAA0XIS5031342 for <oauth@ietf.org>; Mon, 9 Nov 2009 16:34:10 -0800
Received: by pzk4 with SMTP id 4so2712405pzk.32 for <oauth@ietf.org>; Mon, 09 Nov 2009 16:34:10 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.6.25 with SMTP id 25mr15129311waf.25.1257813250190; Mon, 09 Nov 2009 16:34:10 -0800 (PST)
In-Reply-To: <daf5b9570911091627i3e70924bnda232246df3918fd@mail.gmail.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785078711@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570911091627i3e70924bnda232246df3918fd@mail.gmail.com>
Date: Mon, 09 Nov 2009 16:34:10 -0800
Message-ID: <cb5f7a380911091634r19f20019rabb3d1c8c9c3246f@mail.gmail.com>
From: John Panzer <jpanzer@google.com>
To: Brian Eaton <beaton@google.com>
Content-Type: multipart/alternative; boundary="0016e648bcbef8ad800477f977f3"
X-System-Of-Record: true
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 00:33:48 -0000

Counter-argument:  The login pages are protected with https, so their
password is protected.  Their session cookies are sent in clear text but are
themselves encrypted and are refreshed every (say) 10 minutes to minimize
exposure from leakage.  The user's data certainly is sent in clear text form
and an attacker can both read it and impersonate the user to send data if
they grab the cookies, at least for 10 minutes.  So I got nothin' there.

(Would bearer token plus a way to securely rotate the token every N minutes
make the OAuth session at least as secure as the above scenario?)

On Mon, Nov 9, 2009 at 4:27 PM, Brian Eaton <beaton@google.com> wrote:

> On Sun, Nov 8, 2009 at 11:48 PM, Eran Hammer-Lahav <eran@hueniverse.com>
> wrote:
> > The problem is, we are not likely to ever reach consensus on 'reasonable
> security'.
>
> Agreed, we are going to need a couple of options to cover even the
> most vanilla use cases.  I fully expect other people to come up with
> more options for their specific use cases.
>
> My goal with this conversation is to identify the vanilla use cases
> that would cover most applications.
>
> > For example, I don't find most cookie-based session systems reasonably
> secure without SSL/TLS.
> > Being able to sit at a coffee shop with free wifi and a laptop and steal
> sessions cookies, then access
> > people's email for the duration the cookie is valid isn't reasonable or
> secure.
>
> OK, so let's consider OAuth-authenticated access to such a service...
> does signing requests improve security?
>
> I don't think so.  The user's password is going to be sent in
> clear-text when they log in to the service to approve the oauth token.
>  And whenever they view a web page on the service their session
> cookies are sent in clear text.  The user's data (which is what really
> matters in this whole discussion...) is sent in clear text.
>
> AFAICT, using HMAC-SHA1 or RSA-SHA1 in such an environment doesn't
> protect users that much.  The service really needs to support https if
> they are concerned about that threat model.
>
> Cheers,
> Brian
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>



-- 
--
John Panzer / Google
jpanzer@google.com / abstractioneer.org / @jpanzer

v2.23.0 | Report a Bug | By Email