Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

David Waite <david@alkaline-solutions.com> Sat, 18 December 2021 06:11 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCA1C3A0B59 for <oauth@ietfa.amsl.com>; Fri, 17 Dec 2021 22:11:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUBGTKVtRvEt for <oauth@ietfa.amsl.com>; Fri, 17 Dec 2021 22:11:30 -0800 (PST)
Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AEC33A0B41 for <oauth@ietf.org>; Fri, 17 Dec 2021 22:11:29 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by caesium6.alkaline.solutions (Postfix) with ESMTPA id 2EAE5206E27; Sat, 18 Dec 2021 06:11:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1639807888; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HTI6TW2lnKcBgs7gBZkmIVsXcxXuGGmdemHm7bhfOiI=; b=IBN+7f2kqBE/ugwSmlT2yAghuq8uOovTfXKmvX2fFW4scmGndPGSjdRfHUdf4XrtgiB6lJ 9RFCVxaeNxSZyprkZ+BUnkEotYpK6BGNfEherM2mYWcEnd8rPaH1hqZCQi14Yup2u4xtZC yAMRDha3lk0/CamRuZHlzk3vmflT4/k=
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <CA+k3eCS2jNEj4nePQ4kzsvERGnTAw_kimkym1v=a=xFQJG78NA@mail.gmail.com>
Date: Fri, 17 Dec 2021 23:11:26 -0700
Cc: Hans Zandbelt <hans.zandbelt@zmartzone.eu>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FB2B5751-C124-4400-953D-202C8D726350@alkaline-solutions.com>
References: <CADNypP_AJFBc+HzKfFZ8d0hk7BZc=fYTDLNP6MroHUg-=r7FvQ@mail.gmail.com> <CAJot-L2X+Ma5BnXJ6Ys3UPJgHc_WnYtU33ast-myT2PN6rU5OQ@mail.gmail.com> <CAO_FVe5fUgS+=FoB9fJN7V0ujG+tDSb_20CgU2ffcPO3kENC=w@mail.gmail.com> <AM7PR83MB04521F9B225816B5D4D1A8F891789@AM7PR83MB0452.EURPRD83.prod.outlook.com> <CAJot-L2jB63K9RVK8F8PFEtOSXjJk+Eg4iJxs9qm7jt7zq1nMw@mail.gmail.com> <AM7PR83MB0452B729482E04F9B333D37791789@AM7PR83MB0452.EURPRD83.prod.outlook.com> <CA+iA6ujXrAqm5bY-akQyB3seD7zhZg1K26AnViOE2cHGEAvEoA@mail.gmail.com> <CA+k3eCS2jNEj4nePQ4kzsvERGnTAw_kimkym1v=a=xFQJG78NA@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ytwyo94H3BEIKiki_vkrZ5wy5PA>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Dec 2021 06:11:36 -0000


> On Dec 17, 2021, at 2:44 PM, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> 
> Relax how aggressively OAuth demands that the AS automatically redirect in error conditions. And either respond with a 400 directly (which just stops things at that point) or provide a meaningful interstitial page to the user before redirecting them (which at least helps users see something is amiss). I do think OAuth is a bit overzealous in automatically returning the user's browser context to the client in error conditions. There are some situations (like prompt=none) that rely on the behavior but in most cases it isn't necessary or helpful and can be problematic. 

The problem is that if prompt=none still requires redirection without prompt or interstitial, someone wishing to treat dynamic registrations of malicious sites as clients will just start using prompt=none. Likewise, a site could still attempt to manipulate the user to release information by imitating an extension to the authentication process, such as an "expired password change" prompt.

I agree with Nov Matake's comment - phishing link email filters should treat all OAuth URLs as suspect, as OAuth has several security-recommended features like state and PKCE which do not work as expected/reliably with email. Filters integrated into the browser (such as based on the unsafe site list in Chrome) should not need changes, as they will warn on redirect to the known malicious site.

We should also continue to push as an industry for authentication technologies like WebAuthn (as well as mutual TLS and Kerberos) which are phishing resistant. We are really talking about failure of a single phishing mitigation for _known_ malicious sites - the opportunity to use any unknown malicious site or a compromised legitimate site remains open even if we do suggest changes to error behavior.

-DW