Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

William Mills <wmills_92105@yahoo.com> Wed, 06 February 2013 17:56 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF28E21F8630 for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 09:56:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.143
X-Spam-Level:
X-Spam-Status: No, score=-2.143 tagged_above=-999 required=5 tests=[AWL=0.455, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v5ciK5jDZc5S for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 09:56:20 -0800 (PST)
Received: from nm6-vm2.bullet.mail.ne1.yahoo.com (nm6-vm2.bullet.mail.ne1.yahoo.com [98.138.90.154]) by ietfa.amsl.com (Postfix) with ESMTP id B2F5221F85E2 for <oauth@ietf.org>; Wed, 6 Feb 2013 09:56:13 -0800 (PST)
Received: from [98.138.90.49] by nm6.bullet.mail.ne1.yahoo.com with NNFMP; 06 Feb 2013 17:56:11 -0000
Received: from [98.138.226.164] by tm2.bullet.mail.ne1.yahoo.com with NNFMP; 06 Feb 2013 17:56:11 -0000
Received: from [127.0.0.1] by omp1065.mail.ne1.yahoo.com with NNFMP; 06 Feb 2013 17:56:11 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 38595.93204.bm@omp1065.mail.ne1.yahoo.com
Received: (qmail 63399 invoked by uid 60001); 6 Feb 2013 17:56:10 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1360173370; bh=uA7P+9Gc+N0pLxgSJQpOnyIhRPZKSTFuCGfoAmi7vJY=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=XccjutE915Xs8mOoDEzvFzusgoOWrRm0meDx6jVNALm2g0v++gnfL49CxgAL8L2nCfVWkJAfF9fZh/N2PK3kMGxpeHujajpYdf+GBs8V/GW1r2WbAsjB/QYldfNCGQYkx0SfXR1Cg1L5VQQQ8UsuiVzlJsluag/Ymg1I+sutz8E=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=GfmODnykze7LnGuTGwhfgqbSycY3GXW5ZO6uvgBcMD70Nmfm9/ZZRRZoAUU5jOR6Io26pDi4qrxavnLHMooLKtIUOh45LSTSF5sUhHhC/jHq/LK3Lfg3mHt+99yraoJsaKSgw7sU4WwQANYDL3sfzAnyXHD2GJapwhfUuVK3qC4=;
X-YMail-OSG: 0tliOfEVM1nulP0_R2LmqoVG1jKCO2jbBmL_gZTpdJH9D9m kgmN4HWVPnkTBpghj01mdYEEQJ5oy3A1qC_7QlbXJoVRKCL72a1UcnKwEapY Um5SFtbGi_sykuxEbxd5P1jtf_4l8MG9n_mzBJHhe9F.y1R6SnntR9s03RtC LGtHZ7TCccw5Ecuck7fYzBL5AsJMNiqvM8EPy4Tmjgqk16XCQggA7r0c2OsM oAUDL6JFNWHJnAHOBwMN8k8XcttVjuo_5AGbeO2hqyOASmu2IBu2TpzYSOfI GOGK2qf2Tu1kokaKk8O8rO4MaRqX3aHp6FfU0O0JgHfBlFxRF_O5IcfJeBrP SX6lnemRMVy5m5opclrXhnjp.0AQbvyomJ2Hk9zlidSSBTdX34patJC2d.uA 9B17fLwpVLBqrj4lbrWhKEzbbiOcD1H9DCZXM.boxY1vHXv1Ime_zbZ7ch4V Em9nn0XoELYMNiGrkLlzoVP3i0KVvrqUiiclmAkt98NDqoMwk8hmh8RaIzXf 44Vib_LEpaLHXCLE8SUlpwxGUCoXbIAcvQvZnLQ3H_.8v6MoIT3fbt8LcUvg VOk1BKNnA3BgNMPxDysNdiLDgFw88MZOaRN6Xp20wvaxhjiofP7VKoRN7ghA CD0PpKdVwqw4nHMKe7jbxyVrsvVA7zKPGoYRmRDO9Rlk-
Received: from [209.131.62.145] by web31810.mail.mud.yahoo.com via HTTP; Wed, 06 Feb 2013 09:56:09 PST
X-Rocket-MIMEInfo: 001.001, WWVzLCBNQUMgcmVsaWVzIG9uIFNTTCBmb3IgdHJhbnNwb3J0IHNlY3VyaXR5LiDCoEJ1dCB5b3UgaGF2ZSBiaWdnZXIgcHJvYmxlbXMgdGhhbiB0aGF0IGlmIFNTTCBpcyBicm9rZW4sIGJlY2F1c2UgeW91ciBwcmltYXJ5IGF1dGhlbnRpY2F0aW9uIGNyZWRlbnRpYWwgaXMgY29tcHJvbWlzZWQgbm93LgoKRG8gd2UgbmVlZCB0byBhZGRyZXNzIHNzbHN0cmlwIGhlcmUgaWYgaXQncyBhIGdlbmVyYWwgYXR0YWNrIG9uIFNTTCB0cmFuc3BvcnQgZm9yIHRoZSBicm93c2VyPwoKCl9fX19fX19fX19fX19fX19fX18BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.133.504
References: <CAEeqsMat2_zoSCyx7uN373m1SMNGAz=QxEmVYWOYax=Ppt2LnQ@mail.gmail.com> <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com> <CAJV9qO_Zw3bO2L=m6AzhPGQF0B6T5_HOyuTzLTDiKGJGM=Wi7A@mail.gmail.com>
Message-ID: <1360173369.63130.YahooMailNeo@web31810.mail.mud.yahoo.com>
Date: Wed, 6 Feb 2013 09:56:09 -0800 (PST)
From: William Mills <wmills_92105@yahoo.com>
To: Prabath Siriwardena <prabath@wso2.com>
In-Reply-To: <CAJV9qO_Zw3bO2L=m6AzhPGQF0B6T5_HOyuTzLTDiKGJGM=Wi7A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1935884094-1082862167-1360173369=:63130"
Cc: "oauth@ietf.org" <oauth@ietf.org>, "L. Preston Sego III" <LPSego3@gmail.com>
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 17:56:25 -0000

Yes, MAC relies on SSL for transport security.  But you have bigger problems than that if SSL is broken, because your primary authentication credential is compromised now.

Do we need to address sslstrip here if it's a general attack on SSL transport for the browser?


________________________________
 From: Prabath Siriwardena <prabath@wso2.com>
To: William Mills <wmills_92105@yahoo.com> 
Cc: L. Preston Sego III <LPSego3@gmail.com>; "oauth@ietf.org" <oauth@ietf.org> 
Sent: Wednesday, February 6, 2013 8:23 AM
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
 




On Mon, Feb 4, 2013 at 9:57 PM, William Mills <wmills_92105@yahoo.com> wrote:

There are two efforts at signed token types: MAC which is still a possibility if we wake up and do it, and the "Holder Of Key" type tokens.

If someone can use sslstrip then even MAC is not safe - since MAC key needs to be transferred over SSL to the Client from the AS.

There are standard ways in HTTP to avoid or protect from sslstrip - IMHO we need to occupy those best practices...

Thanks & regards,
-Prabath
 

>
>There are a lot of folks that agree with you.
>
>
>
>________________________________
> From: L. Preston Sego III <LPSego3@gmail.com>
>To: oauth@ietf.org 
>Sent: Friday, February 1, 2013 7:37 AM
>Subject: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
> 
>
>
>In an oauth2 request, the access token is passed along in the header, with nothing else.
>
>
>As I understand it, oauth2 was designed to be simple for everyone to use. And while, that's true, I don't really like how all of the security is reliant on SSL.
>
>
>what if an attack can strip away SSL using a tool such as sslstrip (or whatever else would be more suitable for modern https)? They would be able to see the access token and start forging whatever request he or she wants to.
>
>
>Why not do some sort of RSA-type public-private key thing like back in Oauth1, where there is verification of the payload on each request? Just use a better algorithm?
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Thanks & Regards,
Prabath

Mobile : +94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com