Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

Prabath Siriwardena <prabath@wso2.com> Wed, 06 February 2013 16:23 UTC

Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCB4D21F88CA for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 08:23:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.594
X-Spam-Level:
X-Spam-Status: No, score=-2.594 tagged_above=-999 required=5 tests=[AWL=0.382, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4GC-JF1sSix for <oauth@ietfa.amsl.com>; Wed, 6 Feb 2013 08:23:06 -0800 (PST)
Received: from mail-ea0-f169.google.com (mail-ea0-f169.google.com [209.85.215.169]) by ietfa.amsl.com (Postfix) with ESMTP id E234421F879E for <oauth@ietf.org>; Wed, 6 Feb 2013 08:23:04 -0800 (PST)
Received: by mail-ea0-f169.google.com with SMTP id d13so704620eaa.14 for <oauth@ietf.org>; Wed, 06 Feb 2013 08:23:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=8efow7MFoc9jZx7Cx2U7WQDtYUPcaNAhbqstTlsAULc=; b=gofaVkQGM1sRW+wDX4xq/Mq6rsqat3wOkGF1dBWspoh56QR9AECCqI5vxDoLn7EEJD v4KKHoKhsgtdNfVyeIZFl2Rg29/X2wB1qA7hS8HXw+q8aIVWyDLrclUosCV+cW7o7H3U VT+KAnjI8iEqB2m6jlJD5cqgrDhhQHJGx+0dXY/aarNvNINef0xsGAAvVhrWdq3GKWGk v6yxupew3Ut3RdTCMjeF1+k6tZuz0U3gmITQ46VQ5mh8cc/DqSvs1GsWtLeTI2jQ6/Xn GQwCa4D4v8G/BwZ3F5kYBQ1M5nOC5jo91EnnPBKC18Qt4T2WUSaCuKuQdmREIwcU+cOm Zr+g==
MIME-Version: 1.0
X-Received: by 10.14.203.3 with SMTP id e3mr98776253eeo.9.1360167783684; Wed, 06 Feb 2013 08:23:03 -0800 (PST)
Received: by 10.223.175.134 with HTTP; Wed, 6 Feb 2013 08:23:03 -0800 (PST)
In-Reply-To: <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com>
References: <CAEeqsMat2_zoSCyx7uN373m1SMNGAz=QxEmVYWOYax=Ppt2LnQ@mail.gmail.com> <1359995273.56871.YahooMailNeo@web31809.mail.mud.yahoo.com>
Date: Wed, 6 Feb 2013 21:53:03 +0530
Message-ID: <CAJV9qO_Zw3bO2L=m6AzhPGQF0B6T5_HOyuTzLTDiKGJGM=Wi7A@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: William Mills <wmills_92105@yahoo.com>
Content-Type: multipart/alternative; boundary=047d7b343b2a94d91704d510bd21
X-Gm-Message-State: ALoCoQlzVCzfnHkkQ9/z61AMkYLvP6k/UstZZoaMR3YAR0e4aKlfYsm4sfAo6ZQ+H1LNuvfWJ0tz
Cc: "oauth@ietf.org" <oauth@ietf.org>, "L. Preston Sego III" <LPSego3@gmail.com>
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2013 16:23:08 -0000

On Mon, Feb 4, 2013 at 9:57 PM, William Mills <wmills_92105@yahoo.com>wrote:

> There are two efforts at signed token types: MAC which is still a
> possibility if we wake up and do it, and the "Holder Of Key" type tokens.
>

If someone can use sslstrip then even MAC is not safe - since MAC key needs
to be transferred over SSL to the Client from the AS.

There are standard ways in HTTP to avoid or protect from sslstrip - IMHO we
need to occupy those best practices...

Thanks & regards,
-Prabath


>
> There are a lot of folks that agree with you.
>
>   ------------------------------
> *From:* L. Preston Sego III <LPSego3@gmail.com>
> *To:* oauth@ietf.org
> *Sent:* Friday, February 1, 2013 7:37 AM
> *Subject:* [OAUTH-WG] I'm concerned about how the sniffability of oauth2
> requests
>
> In an oauth2 request, the access token is passed along in the header, with
> nothing else.
>
> As I understand it, oauth2 was designed to be simple for everyone to use.
> And while, that's true, I don't really like how all of the security is
> reliant on SSL.
>
> what if an attack can strip away SSL using a tool such as sslstrip (or
> whatever else would be more suitable for modern https)? They would be able
> to see the access token and start forging whatever request he or she wants
> to.
>
> Why not do some sort of RSA-type public-private key thing like back in
> Oauth1, where there is verification of the payload on each request? Just
> use a better algorithm?
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Thanks & Regards,
Prabath

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://RampartFAQ.com