[OAUTH-WG] OAuth Tokens and URI's
Jim Manico <jim@manicode.com> Fri, 09 December 2016 19:54 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00DF7129634 for <oauth@ietfa.amsl.com>; Fri, 9 Dec 2016 11:54:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id odF5fNnU_EZe for <oauth@ietfa.amsl.com>; Fri, 9 Dec 2016 11:54:51 -0800 (PST)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6EA412969E for <oauth@ietf.org>; Fri, 9 Dec 2016 11:54:50 -0800 (PST)
Received: by mail-wm0-x22e.google.com with SMTP id f82so36606510wmf.1 for <oauth@ietf.org>; Fri, 09 Dec 2016 11:54:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version; bh=2I2aOtol1yjfffmuxlEAP+jEvVb4JRt4QOsDOHSbWos=; b=CAT5Z3VD7QgLqoIAlccuBDHS2/svIJ4JO9L/TFnE5anaTlGhStOizI3mK9EXfKSCvf GLm75/17ZxKwAor1J0xcqlh3l9ZrNIBREje6T1JrgyY/pL3SuiPlXqtULVUbIpxPeW8r UnlAtTySwrHVcrF0pVN+I8OKFfd977d6R2O9051zWQxLF1/I6ee+9EMAneUDghMmn0FG tp7KwC43E00yr9A6G8T/ykeybeNTTGov2LDLNEYMx4gAcEC/BVPe0k7jxa+6VgrHgX3V P1kwxfCRgIUQl1lVjE21/rjGvXk1ldkr3NNikDnPnDSiLStC5NRh3ByyQAifsLoy/Tx4 xV6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=2I2aOtol1yjfffmuxlEAP+jEvVb4JRt4QOsDOHSbWos=; b=nHYNZt1JMhTDObu/Os++8k5XvFHZ3BtfWuDqjDFkJBQFc0VPrl97sHLcBZakhnPuI2 zWAgH9SLAKl8ZtelxERXPhhGDhukOzvekSm14CnUyl3mYezXta4TJZ7mOSyuhHdnrV9J woCXNXlwpqaSYjdtXeiyGeZj6ub7EKNXSls7c0tf69JQt04Ybw29MOUpJkTLG+9NPHpf Vu/mTRPyN2Rag5LfAjf0/zZiY9Fc0jP3J0CYJUCIX8H3NGWwMQRri2AMCSg5c5PXPM3R eY/al7vXwg6nb9i8AMaitdGxkJ3kb4kqNrOcryCRFLyFgVzIFpdlK1AlUteor8JJLwFa 1M6w==
X-Gm-Message-State: AKaTC03AKP/u4X50t0H+uoC1aRiVp0Y+heBRbga8oGjpQaEf/Sdd6H3XVLEwNF+0vX1/2Lzm
X-Received: by 10.28.137.81 with SMTP id l78mr34552wmd.36.1481313288946; Fri, 09 Dec 2016 11:54:48 -0800 (PST)
Received: from heembo.local (36.42.158.77.rev.sfr.net. [77.158.42.36]) by smtp.googlemail.com with ESMTPSA id l67sm22087630wmf.20.2016.12.09.11.54.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Dec 2016 11:54:48 -0800 (PST)
To: OAuth WG <oauth@ietf.org>, Torsten Lodderstedt <torsten@lodderstedt.net>
From: Jim Manico <jim@manicode.com>
Message-ID: <523660d6-b535-4877-2653-78be3c01b881@manicode.com>
Date: Fri, 09 Dec 2016 20:54:47 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------36619E6CAF0B4B16AAEECC45"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/U97-oR8YDc3szDKoGuH7FDMKhn4>
Subject: [OAUTH-WG] OAuth Tokens and URI's
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2016 19:54:53 -0000
Torsten, The https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-security-topics/?include_text=1 guide you are working on is a special kind of magic. Thank you for taking the time to write this very important document. When it comes to 2.2.1, I see your great suggestion to prevent referrer leakage. These defenses are very important, and I appreciate how clearly you laid these out. But I think they skip the really core problem that web security solutions must embrace - which I believe to be, /do not put sensitive data in URL/GET parameters/. This goes all the way back to RFC 2616 #9.1.1: "the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval" which I feel implies "should not do anything dangerous" including transport sensitive data. OAuth 2 goes pretty wild - all the way - with putting very sensitive tokens in URIs/URLs and I have seen some solutions that break the "standard" and POST/PUT/PATCH when they can, keeping tokens out of POST actions, URL's and similar. Is this worth discussing? Thank you again for this very important and well written document. Aloha from Hawaii, -- Jim Manico Manicode Security https://www.manicode.com
- [OAUTH-WG] OAuth Tokens and URI's Jim Manico
- Re: [OAUTH-WG] OAuth Tokens and URI's Jim Manico