Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

William Mills <wmills_92105@yahoo.com> Mon, 04 February 2013 16:27 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B21B521F889D for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 08:27:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.461
X-Spam-Level:
X-Spam-Status: No, score=-0.461 tagged_above=-999 required=5 tests=[AWL=-0.277, BAYES_40=-0.185, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tKnf5q32ge+l for <oauth@ietfa.amsl.com>; Mon, 4 Feb 2013 08:27:55 -0800 (PST)
Received: from nm10-vm0.bullet.mail.bf1.yahoo.com (nm10-vm0.bullet.mail.bf1.yahoo.com [98.139.213.147]) by ietfa.amsl.com (Postfix) with SMTP id E519021F86D3 for <oauth@ietf.org>; Mon, 4 Feb 2013 08:27:54 -0800 (PST)
Received: from [98.139.215.140] by nm10.bullet.mail.bf1.yahoo.com with NNFMP; 04 Feb 2013 16:27:54 -0000
Received: from [98.139.212.193] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 04 Feb 2013 16:27:54 -0000
Received: from [127.0.0.1] by omp1002.mail.bf1.yahoo.com with NNFMP; 04 Feb 2013 16:27:54 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 276422.27901.bm@omp1002.mail.bf1.yahoo.com
Received: (qmail 64717 invoked by uid 60001); 4 Feb 2013 16:27:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1359995273; bh=2ETyejBgb1qLxGDTBHpyHTW2vYX2g2GNu3hxvVBYhZQ=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=AHZTLWbeZlKcTWaGmpWlW/GlHmS8RnbUn7ojcka8/+k3R6YJXo4jORql1Pr4m0coqB+b58Td7r9v8QEjAxkNvHVWpdjNhkH7CSwZYztFR91rIgruIUoROIgPuVMtXTkW77gg+nAYZ5gj2zCPxnOy05q21QQOsHAyLmLbXvMSrWM=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=VNtZFnxXHQD1U+E+7WNUbKyF+BJfbiL1/0ruIJMcfRw3FckhfEDvEWz3e3WBRAmlxLDrf6+DvFKOYBQuKbFVPP5MfkIJz8vi+ZmbgJ3h41fzpPZzJqIFmT0dClyxgwiUt/Y5D56pbSvzcXBFGtusenPS1CsJ0NfeUu/+pWEXyls=;
X-YMail-OSG: zhMGnbIVM1mFYqGR_75PCfuBLYk0W.rHLRMiqbJwPt171OY maOrgFfFAaQHfjyamAXbHwcLheNHs700R7_EgHpMPC44JOpMc.YYto8RSaox VW2HywjmhGDpksRVzDQUAtJcPaBOzxty6_ueAi2OlxB6LXbAJIgGQgFkmLQy k_UxcH5PdosODf3OyJ7XdI_iSG97JevzzIss5.0m5lSMZu7cC7CVdbPpgoPZ vr1UzvFs1oeoNaCv4FlrCaTJpjybir4Yp2BU8EWVXL5xqjljwyRK2G_tmOmZ rABnaL2feT0IZJmUOv_38TmjPJXAa9HJ.kKN9CoGBOKn9xbAdvOR.ZL_gNSr xDkvpn9iwPtie90PdsGGESYowQIv63dsIHMI9.KVulL4D4s5JB9AfnFBckqh TZfp3KdG9V_ECBjOHumKvGWvQHupysNk9vGyF0owsQQ2UwpRlz4n_yxeTmkx 3oD1we7swyAUPVn6KuEFe2vCJuDm5s4iZM0d9i5_OG0rb4c1_XPRHNeT4oji T3FrJzqBlVRY507DKiNMEkQFkb8f3h0vbR7AQXWhXQ1M-
Received: from [209.131.62.115] by web31809.mail.mud.yahoo.com via HTTP; Mon, 04 Feb 2013 08:27:53 PST
X-Rocket-MIMEInfo: 001.001, VGhlcmUgYXJlIHR3byBlZmZvcnRzIGF0IHNpZ25lZCB0b2tlbiB0eXBlczogTUFDIHdoaWNoIGlzIHN0aWxsIGEgcG9zc2liaWxpdHkgaWYgd2Ugd2FrZSB1cCBhbmQgZG8gaXQsIGFuZCB0aGUgIkhvbGRlciBPZiBLZXkiIHR5cGUgdG9rZW5zLgoKVGhlcmUgYXJlIGEgbG90IG9mIGZvbGtzIHRoYXQgYWdyZWUgd2l0aCB5b3UuCgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KIEZyb206IEwuIFByZXN0b24gU2VnbyBJSUkgPExQU2VnbzNAZ21haWwuY29tPgpUbzogb2F1dGhAaWV0Zi5vcmcgClMBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.132.503
References: <CAEeqsMat2_zoSCyx7uN373m1SMNGAz=QxEmVYWOYax=Ppt2LnQ@mail.gmail.com>
Message-ID: <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com>
Date: Mon, 4 Feb 2013 08:27:53 -0800 (PST)
From: William Mills <wmills_92105@yahoo.com>
To: "L. Preston Sego III" <LPSego3@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <CAEeqsMat2_zoSCyx7uN373m1SMNGAz=QxEmVYWOYax=Ppt2LnQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1395015409-1689342969-1359995273=:56871"
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Feb 2013 16:27:55 -0000

There are two efforts at signed token types: MAC which is still a possibility if we wake up and do it, and the "Holder Of Key" type tokens.

There are a lot of folks that agree with you.


________________________________
 From: L. Preston Sego III <LPSego3@gmail.com>
To: oauth@ietf.org 
Sent: Friday, February 1, 2013 7:37 AM
Subject: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
 

In an oauth2 request, the access token is passed along in the header, with nothing else.

As I understand it, oauth2 was designed to be simple for everyone to use. And while, that's true, I don't really like how all of the security is reliant on SSL.

what if an attack can strip away SSL using a tool such as sslstrip (or whatever else would be more suitable for modern https)? They would be able to see the access token and start forging whatever request he or she wants to.

Why not do some sort of RSA-type public-private key thing like back in Oauth1, where there is verification of the payload on each request? Just use a better algorithm?
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth