Re: [OAUTH-WG] why are we signing?
John Panzer <jpanzer@google.com> Tue, 10 November 2009 00:33 UTC
Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6110D3A6955 for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 16:33:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yTf6ibxE7mwz for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 16:33:47 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.45.13]) by core3.amsl.com (Postfix) with ESMTP id 0F3403A68B0 for <oauth@ietf.org>; Mon, 9 Nov 2009 16:33:47 -0800 (PST)
Received: from zps37.corp.google.com (zps37.corp.google.com [172.25.146.37]) by smtp-out.google.com with ESMTP id nAA0YCXW030483 for <oauth@ietf.org>; Mon, 9 Nov 2009 16:34:12 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1257813252; bh=YqvE1MJkQJw/2fbSUinOejVhTXM=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=jmEAtkR6AK6Oy1gpKORW65bgEKdc7r98zees2L+5eUzkMuvo00vQWq9E80zNfyk5D tYyrzwAjRnFKRmaTr2nWg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=iZBsYAl5BdGD/aPZEyqAwlhkZ5PoREDYQUgp/o5XgME0Daedx//Qs94bZe5O6rDcz 7DeLyFFqTUzy8J5KtbLMA==
Received: from pzk4 (pzk4.prod.google.com [10.243.19.132]) by zps37.corp.google.com with ESMTP id nAA0XIS5031342 for <oauth@ietf.org>; Mon, 9 Nov 2009 16:34:10 -0800
Received: by pzk4 with SMTP id 4so2712405pzk.32 for <oauth@ietf.org>; Mon, 09 Nov 2009 16:34:10 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.6.25 with SMTP id 25mr15129311waf.25.1257813250190; Mon, 09 Nov 2009 16:34:10 -0800 (PST)
In-Reply-To: <daf5b9570911091627i3e70924bnda232246df3918fd@mail.gmail.com>
References: <daf5b9570911082102u215dcf22gf0aeb2f3578e5ea0@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343785078711@P3PW5EX1MB01.EX1.SECURESERVER.NET> <daf5b9570911091627i3e70924bnda232246df3918fd@mail.gmail.com>
Date: Mon, 09 Nov 2009 16:34:10 -0800
Message-ID: <cb5f7a380911091634r19f20019rabb3d1c8c9c3246f@mail.gmail.com>
From: John Panzer <jpanzer@google.com>
To: Brian Eaton <beaton@google.com>
Content-Type: multipart/alternative; boundary="0016e648bcbef8ad800477f977f3"
X-System-Of-Record: true
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] why are we signing?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 00:33:48 -0000
Counter-argument: The login pages are protected with https, so their password is protected. Their session cookies are sent in clear text but are themselves encrypted and are refreshed every (say) 10 minutes to minimize exposure from leakage. The user's data certainly is sent in clear text form and an attacker can both read it and impersonate the user to send data if they grab the cookies, at least for 10 minutes. So I got nothin' there. (Would bearer token plus a way to securely rotate the token every N minutes make the OAuth session at least as secure as the above scenario?) On Mon, Nov 9, 2009 at 4:27 PM, Brian Eaton <beaton@google.com> wrote: > On Sun, Nov 8, 2009 at 11:48 PM, Eran Hammer-Lahav <eran@hueniverse.com> > wrote: > > The problem is, we are not likely to ever reach consensus on 'reasonable > security'. > > Agreed, we are going to need a couple of options to cover even the > most vanilla use cases. I fully expect other people to come up with > more options for their specific use cases. > > My goal with this conversation is to identify the vanilla use cases > that would cover most applications. > > > For example, I don't find most cookie-based session systems reasonably > secure without SSL/TLS. > > Being able to sit at a coffee shop with free wifi and a laptop and steal > sessions cookies, then access > > people's email for the duration the cookie is valid isn't reasonable or > secure. > > OK, so let's consider OAuth-authenticated access to such a service... > does signing requests improve security? > > I don't think so. The user's password is going to be sent in > clear-text when they log in to the service to approve the oauth token. > And whenever they view a web page on the service their session > cookies are sent in clear text. The user's data (which is what really > matters in this whole discussion...) is sent in clear text. > > AFAICT, using HMAC-SHA1 or RSA-SHA1 in such an environment doesn't > protect users that much. The service really needs to support https if > they are concerned about that threat model. > > Cheers, > Brian > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- -- John Panzer / Google jpanzer@google.com / abstractioneer.org / @jpanzer
- [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Chris Messina
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? Hannes Tschofenig
- Re: [OAUTH-WG] why are we signing? John Kemp
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Igor Faynberg
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Infinity Linden (Meadhbh Hamrick)
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Dick Hardt
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP Paul C. Bryan
- Re: [OAUTH-WG] OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth WRAP John Panzer
- Re: [OAUTH-WG] OAuth WRAP Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? BeckW
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] OAuth WRAP RL 'Bob' Morgan
- Re: [OAUTH-WG] OAuth WRAP Chris Messina
- Re: [OAUTH-WG] [WRAP] Re: OAuth WRAP Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] OAuth WRAP Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? George Fletcher
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Brian Eaton
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Prateek Mishra
- Re: [OAUTH-WG] why are we signing?; OAuth 2.0 / C… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Eran Hammer-Lahav
- Re: [OAUTH-WG] why are we signing? Richard Barnes
- Re: [OAUTH-WG] why are we signing? Mike Malone
- Re: [OAUTH-WG] why are we signing? John Panzer
- Re: [OAUTH-WG] why are we signing? Dick Hardt
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation (was: Re: why a… Peter Saint-Andre
- Re: [OAUTH-WG] why are we signing? Stephen Farrell
- Re: [OAUTH-WG] why are we signing? Peter Saint-Andre
- [OAUTH-WG] multi-level delegation Vrancken Bart bv
- Re: [OAUTH-WG] multi-level delegation (was: Re: w… Zeltsan, Zachary (Zachary)