IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

William Mills <wmills@yahoo-inc.com> Tue, 06 September 2011 20:34 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4D4E21F8E97 for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 13:34:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.362
X-Spam-Level:
X-Spam-Status: No, score=-17.362 tagged_above=-999 required=5 tests=[AWL=0.236, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMA16MKqPEcz for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 13:34:43 -0700 (PDT)
Received: from nm12-vm0.bullet.mail.ac4.yahoo.com (nm12-vm0.bullet.mail.ac4.yahoo.com [98.139.53.198]) by ietfa.amsl.com (Postfix) with SMTP id 5154E21F8E96 for <oauth@ietf.org>; Tue, 6 Sep 2011 13:34:42 -0700 (PDT)
Received: from [98.139.52.189] by nm12.bullet.mail.ac4.yahoo.com with NNFMP; 06 Sep 2011 20:36:27 -0000
Received: from [98.139.52.129] by tm2.bullet.mail.ac4.yahoo.com with NNFMP; 06 Sep 2011 20:36:27 -0000
Received: from [127.0.0.1] by omp1012.mail.ac4.yahoo.com with NNFMP; 06 Sep 2011 20:36:27 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 584333.69513.bm@omp1012.mail.ac4.yahoo.com
Received: (qmail 69096 invoked by uid 60001); 6 Sep 2011 20:36:27 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1315341386; bh=yKGJNZ5tqEpeSS43/qJYJaJhoZReVb5WeCPevZH6JLA=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=ZPYL7qHreZZVQ02RvUpK1FXJtG1Sr2l9sxYnRDKkpisfseKvs1sAfgAiMcfUiq9O7NZPztMrSXZfJhqbF7IScLNOFrkYIooLDPmKhEIr1/yIhXI4KI5dW99MuEU4rergS51UuTMrjJ/MZv5B0KavQRbQFBLXKK1mwJfo4LDCF34=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=oj0/cUhIt73dg+IZjAB8m1UqdXbtmNaZhSq+lxBfwZ5+BotDRVG83Bhe3MwVm6VgCxiHsRA0hPGuTP+AidwPMctXTZ+9AM2LN4TrPa+edIcbZCcPWPFValomevNoi0SUPmoL1WObKn/u/P7hIiZdaHgyTKITp5450gu2EX/0whE=;
X-YMail-OSG: ejvaypAVM1msWOPVyRWn_9vI534tw8MFRaadnetb.xRdvnM mwI5wL_5s_kQL2sfzw8nmJeXvCpx3_J1cULzbw5Ob0ZX32u9d81ChD_Hp4Tg 08wQxQHwmbb6OWVaxMPh0ESiiiSRGpQqQXV.felSWKb_Mp7EP_GjjioVvWnT DyOccPWmDcBO0.Cv.PUcz06ZgkZU50QhQhb6sjXpPZvnV9GYh4GKahYyfUDK 5xpwGH51LSCwjs_8h2xn4XOmQhTterGgL_8_FBRSinq9QkkBnlrB8aa756M6 YpMTPnIzgqiAS5KMUVzDF_YgQ8EcXw8y4UUbWMqbYJ3gB391H8Rh5ErGOJwF ff5ya36aF0vSBmPHh1ifkIT5roFbmPRA3rXyy09zKvOqTXcjvF.8sz2NICoS S_Lg7u5ufXlzzBxHiJdWgmWQn35dUJE9m2k92vISv8bf9azQVYWJa2A--
Received: from [209.131.62.113] by web31806.mail.mud.yahoo.com via HTTP; Tue, 06 Sep 2011 13:36:26 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.114.317681
References: <4E665B25.6090709@mtcc.com> <4E6661FA.7050804@alcatel-lucent.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com>
Message-ID: <1315341386.69038.YahooMailNeo@web31806.mail.mud.yahoo.com>
Date: Tue, 06 Sep 2011 13:36:26 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Michael Thomas <mike@mtcc.com>
In-Reply-To: <4E666B65.30701@mtcc.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-208145903-1315341386=:69038"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2011 20:34:45 -0000

Yes, unfortunately a lot *is* on the shoulders of the users.  It's a very difficult problem.  What OAuth *does* do is hopefully make the situation incrementally better because there's an infrastructure for having the user only enter their username/password pair at the site they actually have that relationship with, and in installed apps that previously demanded caching the user password we can have a credential there instead.

None of it addresses the "is this thing safe to use?" question though.



________________________________
From: Michael Thomas <mike@mtcc.com>
To: William Mills <wmills@yahoo-inc.com>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>; "oauth@ietf.org" <oauth@ietf.org>
Sent: Tuesday, September 6, 2011 11:50 AM
Subject: Re: [OAUTH-WG] problem statement

William Mills wrote:
> OAuth doesn't solve this problem, and can't.  Generally the question is whether the app appears to come from a reputable source, and nowadays whether it's signed (in windows land) or otherwize certified by the provider.
> 
> If you manage to solve this problem in a real way I'd be interested in investing in your company.

Then what I don't see anywhere is that oauth is not applicable to embedded
web objects, and that end users should *never* trust oauth in a, say, phone
app. As far as I can tell, the server deploying oauth can't tell that it's
being misused, so this is all on the shoulders of the end user.

It sure looks like oauth is easily subverted in the real world.

Mike

> 
> ------------------------------------------------------------------------
> *From:* Michael Thomas <mike@mtcc.com>
> *To:* Eran Hammer-Lahav <eran@hueniverse.com>
> *Cc:* "oauth@ietf.org" <oauth@ietf.org>
> *Sent:* Tuesday, September 6, 2011 11:34 AM
> *Subject:* Re: [OAUTH-WG] problem statement
> 
> Eran Hammer-Lahav wrote:
>  > Don't install crap on you device or computer. OAuth is the least of your concern if you install bad software.
>  > If there was a solution to this we would not need an antivirus.
> 
> How exactly does an end user know what is "crap" or not? Or are you just dismissive of apps in
> general? I don't think that apple and google are going to close up shop because it breaks oauth's
> trust model.
> 
> Mike
> 
>  >
>  > EHL
>  > On Sep 6, 2011, at 11:23, "Michael Thomas" <mike@mtcc.com <mailto:mike@mtcc.com>> wrote:
>  >
>  >> Eran Hammer-Lahav wrote:
>  >>> I agree. If you are going to install a native app, you better trust it not to do bad things. Grabbing your password is the least interesting thing such an app can abuse. I don't see any need to change the v2 draft.
>  >> How, exactly, is the user supposed to protect themselves against rogue apps?
>  >> It sounds like the solution is to tell them to never use oauth in an app at all.
>  >>
>  >> Is oauth only intended to be used on standalone trustable web browsers? I don't recall
>  >> seeing that anywhere.
>  >>
>  >> Mike
>  >>
>  >>> EHL
>  >>>
>  >>> On Sep 6, 2011, at 11:10, "Igor Faynberg" <igor.faynberg@alcatel-lucent.com <mailto:igor.faynberg@alcatel-lucent.com>> wrote:
>  >>>
>  >>>> Mike,
>  >>>>
>  >>>> You've got the problem statement right: allowing the user to authorize  resource access to another party without divulging user's credentials is the objective of OAuth. You are also right in that the attack you have described defies the whole purpose of OAuth.  I do not think though that it is related to OAuth per se.
>  >>>>
>  >>>> To this end, the security work led by Torsten has thoroughly analyzed the protocol and specified protection against multiple protocol attacks.  From what you described, it appears to me that the attack you mention is not related to the protocol but rather to the user's environment.  There is no possible protection from key loggers that a protocol can implement. I could be mistaken; in any case, it looks like the problem rests with the implementation of WebView.
>  >>>>
>  >>>> If I am wrong, I would appreciate a detailed description of what happened.
>  >>>>
>  >>>> Igor
>  >>>>
>  >>>> On 9/6/2011 1:40 PM, Michael Thomas wrote:
>  >>>>> Hi all,
>  >>>>>
>  >>>>> Barry suggested that I might subscribe and explain what I sent him.
>  >>>>>
>  >>>>> My basic problem is that in neither the protocol nor the threats drafts,
>  >>>>> I can't seem to find what problem is actually trying to be solved with
>  >>>>> oauth, and what assumptions you're making about various elements.
>  >>>>>
>  >>>>> Here's what I did. I've written an app, and I wanted re-integrate the
>  >>>>> ability to send tweets after they deprecated Basic. So the app has a
>  >>>>> webView (android, iphone...) which it obviously completely controls.
>  >>>>> With oauth, the webview UA will ultimately redirect off to Twitter's
>  >>>>> site to collect the user's credentials and grant my app's backend an
>  >>>>> access token (sorry if I get terminology screwed up, i'm just coming
>  >>>>> up to speed).
>  >>>>>
>  >>>>> What occurs to me is that webview affords exactly zero protection from
>  >>>>> my client (ie, the app) from getting the user's twitter credentials. All
>  >>>>> I have to do is set up a keypress handler on that webview and in a few
>  >>>>> minutes of hacking I have a key logger. etc.
>  >>>>>
>  >>>>> So what I can't tell is whether this is a "problem" or not, because I
>  >>>>> don't know what problem you're trying to solve. If the object of oauth
>  >>>>> isn't to keep user/server credentials out of the hands of a third party,
>  >>>>> then what is it trying to solve? Is there an expectation that the
>  >>>>> UA is trusted by the user/server? What happens when that's not the case?
>  >>>>>
>  >>>>> Regardless of whether I'm misunderstanding, it would sure be nice to have
>  >>>>> both the problem and your assumptions laid out, hopefully with some prominence
>  >>>>> so you don't get these sort of dumb questions.
>  >>>>>
>  >>>>> Mike
>  >>>>> _______________________________________________
>  >>>>> OAuth mailing list
>  >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>  >>>>> https://www.ietf.org/mailman/listinfo/oauth
>  >>>> _______________________________________________
>  >>>> OAuth mailing list
>  >>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>  >>>> https://www.ietf.org/mailman/listinfo/oauth
>  >>> _______________________________________________
>  >>> OAuth mailing list
>  >>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>  >>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
> 
>

v2.23.0 | Report a Bug | By Email