Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

Daniel Fett <daniel.fett@sec.uni-stuttgart.de> Fri, 01 June 2018 17:23 UTC

Return-Path: <daniel.fett@sec.uni-stuttgart.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D051D12D96A for <oauth@ietfa.amsl.com>; Fri, 1 Jun 2018 10:23:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uni-stuttgart.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OMPOHADxYMqi for <oauth@ietfa.amsl.com>; Fri, 1 Jun 2018 10:23:30 -0700 (PDT)
Received: from mxex2.tik.uni-stuttgart.de (mxex2.tik.uni-stuttgart.de [IPv6:2001:7c0:2041:24::a:2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66ED412D962 for <oauth@ietf.org>; Fri, 1 Jun 2018 10:23:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mxex2.tik.uni-stuttgart.de (Postfix) with ESMTP id 1DCF783183 for <oauth@ietf.org>; Fri, 1 Jun 2018 19:23:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=uni-stuttgart.de; h=content-language:content-type:content-type:in-reply-to :mime-version:user-agent:date:date:message-id:from:from :references:subject:subject:received:received; s=dkim; i= @sec.uni-stuttgart.de; t=1527873806; x=1529612607; bh=9ibTzMb7dC gACiGNQZ9KSM6+dZRYkCiJtYM5FKZUMYw=; b=VtZyBDjXY8Y7/o1d2g+xzuRyUq geOqDXEG/PAV0I/pMI+VH7e695B3/FhmS10o/yq5qMjFiO1zceKmdGmGBn5UdMi2 10uNxaVAMQR+L1RsFKBZvPijSrfsitIp1vXq7JapE+VfVaUzFdH1pl2m6AqLXd/I KdRsC5iO5rpU2PftbnBb0nou4Rn3HQR8CHfhpqxrzUQQu7iM9f5duWBqaRMKTPWX PUrkjD5jcCNXK1LrcBwXDEiGy5UIw7hpirP+7VRCe3MTQsQV0rXUdxvy5w7P2QhH Jp4s3/R2PVUuhsdrU9i+r8OrYVfYyzo+cul74foS/iv6wtxERnLAOPHLMjhg==
X-Virus-Scanned: USTUTT mailrelay AV services at mxex2.tik.uni-stuttgart.de
Received: from mxex2.tik.uni-stuttgart.de ([127.0.0.1]) by localhost (mxex2.tik.uni-stuttgart.de [127.0.0.1]) (amavisd-new, port 10031) with ESMTP id aqqspM8hWzI7 for <oauth@ietf.org>; Fri, 1 Jun 2018 19:23:26 +0200 (CEST)
Received: from [IPv6:2001:7c0:2015:182::1:32] (unknown [IPv6:2001:7c0:2015:182::1:32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mxex2.tik.uni-stuttgart.de (Postfix) with ESMTPSA for <oauth@ietf.org>; Fri, 1 Jun 2018 19:23:26 +0200 (CEST)
To: oauth@ietf.org
References: <E126FCD2-55E0-4ADB-9A3F-6EEF3955EC2C@authlete.com> <CAEKOcs1Ky7XETQ4xk2XaBZnkjyF-M_OpJvSWK5pouYgq90c5Nw@mail.gmail.com>
From: Daniel Fett <daniel.fett@sec.uni-stuttgart.de>
Openpgp: preference=signencrypt
Autocrypt: addr=daniel.fett@sec.uni-stuttgart.de; prefer-encrypt=mutual; keydata= xsFNBFbu2RUBEAC3F5+IMjFcXSj46xS8QQe6d/FAb+7IkkOdFKrINhgCialH4enWB2V3ykOX xESdrchRBCLoePyNmoJdFTijGxBMGNqSKU9rrppF5uvPFv/qIvCaBDAjFXR+qshsHjsMxTNH 67kuhkFQczKQHs4KVICG/gnssC3iejrk6Mav0MIJKXXdz6bUQPDyUTD+LsyHJ7vNfkfitnO4 rbD+kEZ0n14dQqp+c91b7X5KZVTt1c3d/N1kbruS29SlIDUJSHV0AdDZmP6wuH5a9XUIlDkP mM2bncIry3xiXWolYf3BJigxYg1XwVMYBdsrVg4kID5WY1RCHns07cDGluERcurjj3QHjToL T7VemcnFVzSphjjisi9a1QfRYCPf5xw5L8IjsAuNTBLv2DXKtL6Mf5Tv9BAZPD2em0rNS5n/ M7S6D2AAxIt9BQQ4aS16faI0gfUspj09RLdHANwOcLUPu+OE+O2IdgglBQLkadwLj9aY0ncE 8GhqFWcQ9xbtvHAljYaz5VmsOnjsadfGD8xW+QtWeFc8mfq7PncRjrc0Ywtb8TKeXkLHUQoT 4v2ilXisfOhryVj6/GuQvDjKKyUBW1tQPxei4n/W0zBC4LWehmwCH+WrFt+mTh3uHSyy9VbR FYmY6MBBMUpHHVQ3AVLgxoldu/yX/ery+fdE8MeScAWg+WE5rQARAQABzSBEYW5pZWwgRmV0 dCA8ZmV0dEBkYW5pZWxmZXR0LmRlPsLBgAQTAQgAKgIbAwUJC0c1AAULCQgHAwUVCgkICwUW AgMBAAIeAQIXgAUCVu7cmAIZAQAKCRBYD1kOlZ2qqXCPD/wLpgL6j51OUlGzLaA+Xt+QzX/v qUiHJsvv1mEnyofk/3pGr7ce/1UNp7e8/W2JnnHvz4RBaNkn07DFyOvrVNXiMyU6mKWvG6xw Ri5Qc2t1Cup+mXlNc5fxlZGnwOYXZJErYVTPodkFlbb6LKUMyg6v2P7ZEvw4YyPh7WpV5ujF VVkYBSLviNCjVwKr8WlJJlVI4uvHZshnX85lVpRNcF+Hqf7IhnJzCQ5bUNnV7aKc4WPNw7L6 EquuCAl6JGKdeV2M+S5UVN9Eaa/CQxJf8X9I3SVgWCGQ/gLt0x1oKt6oFMECJcH2LDFOJyWv 61AUIzqCdRiTUagdc+7sn2OFbbjhKin9x+Qq6pyoXa6ZcpEuyBoAy+hNU8RAXcPgvEBy4Bwx BYQ9S3uQmBx/TcYgSUbBwBhvIYRVM5DfBefolj3HyUlvHx8JO8scbdcVl+v1+f9d5x4YS16t bWNe7awE6UWM2I02+uv7SI2ieJ2zQsOulDTEYVYjWcu0hBH24K53wniyh3JHzu6RVCgewx4P 6H2WHOSVf2p9ppuIrbWh7J6pp9nFdDXESKxH3GO5LooLamGugSlRwdgsqxY0O4BbCpKIpfe8 31peA+7qbh1f4TXHo/ZQE8fZ2s4VN5XR5J5/yjfqY2pWDy1XocixzXboLAcuzGmZNutS46eH Azjo2CxTa87BTQRW7tkVARAA1cAIBWNxYj/QE7RcOHGgr8xXcKWk/wwTWgLvjEbp5tqMl3Jk EwD1Iajz1s+Qp7U+U4UqyI+ZSfm03bYFYlTyKaS2esiM+Incutg18N943xwGNc6csyNoW5/f xbDQ4hoMKsod9zjfvxpA8xLg8gjuPKi5Y698K7qDCCfGvo6e67qwFWIvrB7cv/NAoaVd1OPI 79nt2H5yWo0PE2Kd2yAMnWJ/3clLR6X4jqkmpoc2uEPE6aM7iQ6SCx7rMFP9W9OvovnzVksS dh65JRkiA3DTUWBxZM6h/oEERBTr9Q/JYXXugO300loterwBVu0ymBHdAjIlxpetFwZu/Wlb nymC4VSxGPS/+mJ9Lnh3WWjVEcP5F9WgqmfJ49BNqOjmgZ9u9VYV8R9fOaYvtPFTdGTYT9iw JYic/0xt9NcW/hRkff0UHdiN/BrTxbHVI7Qf4MLBK/+VtqVi0MLs7U80/2fPRebTq4yQ6aoY 7hErExrJ7TgTmZghsBJTd2cmau26Kb7stLJ4ySADcyrsADl03MNoj8QqVuO8HXx2InM18sHP xldjovv8dhmj7uiKmMPAqq5f8pA5bcA/EQ6S+ItjjohSLiYQtq6UgDPlt4tIA9nCfx+cGi6f o4sJE0InaQLinm0USp0zE+slpqXGwjzeFSTioL81cDGhN3dcCK94VsntblsAEQEAAcLBZQQY AQgADwUCVu7ZFQIbDAUJC0c1AAAKCRBYD1kOlZ2qqdnTD/9fOyWwdhOv4ehtR8ShfhM1FAc8 bWMfCrxTpI4baPM4fqIFgMAJ9iQ0FF6cB0zQjDwsWNC+3t+2JdiNeM8FB7s4bbJlhjaavzKK 77Kbf4WpVs7ge0+Zghc2qHRg/SQeC1G26GzSZDDWzDHFZX0va8H0KmT/tHJYD263CIcff/E9 WXT/22rrgYvuQXPIOBzON9WqUkCAvPA19xuBsDQSbXkXwiPsZRqmyktjc8GQn1iemQ/dzlU/ e6ORNrPcK15kUyPyJMaZf+6QJ8EivUyg+pTXicEcghWNYHXxop4k0y+bsay0cBN2lmNu7UEF qhO8HQmp2jrwZXFZD/fbZukXFHNWvNsvQ55flUfajPZhUokXHskkerbq6ZCS58HkWl0tqSIb 5TxNfP0zjcrlDBc8sF6UHXgNR1oUXypGOAq4iHeJNVpI4aQm/PufmeGExx6lPtJxJ9jOs5gD rYRuBfa1cJznEPNbIe0/eCv5qDpf95csdGJhM418x2xeg58PbmBByS9MXOGFtli0K9sxIej/ YdA94hlk/R9ViIPDuqDxz0PP+IRFVVOQhOprSnG8cV31oOe00e1bIBH3ttdsgp3AHqz/zlfF kZt27s1VH+aRF4STntrU97dNmxrgjq8zUZ7VgYjq8KqLg0BsDRIy4b/AnptYh6E4oE74gKCo Qoim4V9DGw==
Message-ID: <d95f2a6b-be9c-a55d-973d-165576cefb86@sec.uni-stuttgart.de>
Date: Fri, 1 Jun 2018 19:23:26 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Thunderbird/57.0
MIME-Version: 1.0
In-Reply-To: <CAEKOcs1Ky7XETQ4xk2XaBZnkjyF-M_OpJvSWK5pouYgq90c5Nw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------AB021E7DC01BCEEA677DB905"
Content-Language: de-DE
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XnwjeBXXGzrPqN0kuXEB7nAenaQ>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2018 17:23:34 -0000

Thank you Travis for your feedback!

Am 20.03.18 um 12:48 schrieb Travis Spencer:
> I read through this doc and would like to share a bit of feedback in
> hopes that it helps:
>
> * There is no mention of Content Security Policy (CSP). This is a very
> helpful security mechanism that all OAuth servers and web-based
> clients should implement. I think this needs to be addressed in this
> doc.
>     - No mention of frame breaking scripts for non-CSP aware user agents
>     -  No mention of X-Frame-Options
> * There's no mention of HSTS which all OAuth servers and web-based
> client should implement (or the reverse proxies in front of them
> should)

If I see this correctly, all of these mechanisms fall in the category of
"do web security right" that Jim mentioned, i.e., there are no concrete,
OAuth-specific attacks that would be prevented by these. If so, I think
we should not mention them in the document.

> * The examples only use 302 and don't mention that 303 is safer[1]
>    - Despite what it says in section 1.7 of RFC 6749, many people
> think that a 302 is mandated by OAuth. It would be good to recommend a
> 303 and use examples with other status codes.

Yes, we should address that.

> [1] https://arxiv.org/pdf/1601.01229v2.pdf

(That link, by the way, points to an old version of our paper. There is
an updated version with more attacks and a better presentation:
https://arxiv.org/pdf/1601.01229.pdf)

Thanks again for your feedback!

-Daniel


-- 
SEC - Institute of Information Security
University of Stuttgart
Phone +49 711 685 88468
Universitätsstraße 38 - 70569 Stuttgart - Room 2.434