IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

William Mills <wmills@yahoo-inc.com> Thu, 05 January 2012 01:16 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3089F21F87CE for <oauth@ietfa.amsl.com>; Wed, 4 Jan 2012 17:16:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.211
X-Spam-Level:
X-Spam-Status: No, score=-17.211 tagged_above=-999 required=5 tests=[AWL=0.387, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1HxYKMR7m-0I for <oauth@ietfa.amsl.com>; Wed, 4 Jan 2012 17:16:14 -0800 (PST)
Received: from nm13-vm0.bullet.mail.ac4.yahoo.com (nm13-vm0.bullet.mail.ac4.yahoo.com [98.139.52.232]) by ietfa.amsl.com (Postfix) with SMTP id 04FAC21F87CB for <oauth@ietf.org>; Wed, 4 Jan 2012 17:16:13 -0800 (PST)
Received: from [98.139.52.195] by nm13.bullet.mail.ac4.yahoo.com with NNFMP; 05 Jan 2012 01:16:07 -0000
Received: from [98.139.52.169] by tm8.bullet.mail.ac4.yahoo.com with NNFMP; 05 Jan 2012 01:16:07 -0000
Received: from [127.0.0.1] by omp1052.mail.ac4.yahoo.com with NNFMP; 05 Jan 2012 01:16:07 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 834142.298.bm@omp1052.mail.ac4.yahoo.com
Received: (qmail 64115 invoked by uid 60001); 5 Jan 2012 01:16:07 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1325726167; bh=Xutx8L3IpZcT1o5luKWFEo3HRw6+n2uqsno6xXiRPsw=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Q84NW9K7zWIq8hmYgivm9jh9LKyL+I5Y/lpccRk68uMzdwXJc7r6E7XsPZu3wzEFzuGIwFEcgIZ5cLyBLDR2ivR11uiX1tzCZh6dtJd1+woH2nR1EDKmuF/Ht64jxOxAXcmm+G+Qt7yIN3QcA0FrCRtEfh4cnTC4LBtUyLNja7o=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=gNghri7Kh7+joxxVcl1DJQ+BkGA/YI2hna5+wHER7NrxL5866wMvxSmf6tlTWPEuksLHTWTXFmjz7qs/XJClSTfusqqO6bUR1rzOtSOzZLjBuoHOafgiul8oTxtSns1GEkCuZrUnC8iTWMGe9XNtB4a42CmSUniiY36DUagHQfc=;
X-YMail-OSG: GCOqGFwVM1nqrwIuqEJXWXiwypo9_QnJ4GtsxFzCWgibbBt OiQ6SjK7kGgkBrIOM93kattnAfqJJc_5NhhXkM3yaPtv5P3TIsXWOXnKUCD1 PYZia4ZL6G0.xL9GP00mme8lyrkK3a76Ythm_uijDhQh2tZ_aWDRVbgrfodC Fe.u3ZeXfIxqshyNBXWzuTmeGZCT3nZSW2qwT4PGBZtXSGCF.4JjnER2fJ4L LFk_7XdZBP7AHK8iZOQXdAUNz.0KCKmr0w3LyommrVDEid6JfwdtlJGZXFV1 gXFTHnntsaS2PLY1MW1N.9dFu8wlldQW.fOY.pPOGESGOb5LVTEaXQRAFQ8i 4v6nAi_27JJdGRlbZvgOTZqnr.NYMBE_2AbHguQREkKCwWjb2LFt5Wg.OGvY iGetuQALiw2axnSA40ePi30RJVCe7WVtbRsMiD0yqxg--
Received: from [209.131.62.113] by web31813.mail.mud.yahoo.com via HTTP; Wed, 04 Jan 2012 17:16:07 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.116.331537
References: <CALaySJKhYQQdmjvWBLS3mwzzrDt35jfDn2xZCuDOk=hpwEUiKQ@mail.gmail.com> <CAC4RtVDyiuqCGO25nZQEVxi0uchTi2gu_peh=+FwmWwZsQ=LEQ@mail.gmail.com> <CAC4RtVCvnz7n9Ei08h7QRruesJ=GeOMOOvBkNAVmcc8_gzg7QQ@mail.gmail.com> <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com> <OF6C9EBE7C.1B053FE3-ON80257968.003C02DF-80257968.003CAA12@ie.ibm.com> <4EEB5BDD.7080401@mtcc.com> <4F038CB9.1040403@mtcc.com> <F674B8D6-54D6-4B39-A494-9D7EB6E058D6@oracle.com> <4F0394D6.1090006@mtcc.com> <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com> <4F04AAAE.6080702@mtcc.com> <4F04ACE4.1070006@stpeter.im> <4F04B101.3070708@mtcc.com> <OF0587BA9E.B7B40207-ON8025797B.00702BFB-8025797B.007103EA@ie.ibm.com> <CALaySJLcFGyt97OVFZY34kZSjp2bKRqiH_JSDQQaO-aTjSWh2g@mail.gmail.com> <4F04BF70.3010501@mtcc.com> <4F04CF60.1050000@lodderstedt.net> <4F04E362.5070406@mtcc.com> <90C41DD21FB7C64BB94121FBBC2E723453A72D09B9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4F04F134.5050409@mtc c.com>
Message-ID: <1325726167.42441.YahooMailNeo@web31813.mail.mud.yahoo.com>
Date: Wed, 04 Jan 2012 17:16:07 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Michael Thomas <mike@mtcc.com>, Eran Hammer-Lahav <eran@hueniverse.com>
In-Reply-To: <4F04F134.5050409@mtcc.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="767760015-706396534-1325726167=:42441"
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 01:16:15 -0000

The below is unfortunately probably a no-go:


> Given these threats, authentication servers MUST NOT give clients access
> to authentication services -- and by extension to resource services -- unless the
> authentication service can thoroughly vet the trustworthiness of the client. How
> that vetting is achieved is outside of the scope of this document, but the current
> practice of freely giving client keys to any would-be OAUTH client is not sufficient."


It's unfortunately not really a solved problem for widely distributed clients.  I attack this by spoofing a known client and the resource server or auth server can't tell the difference.  That's why I was falling back to the more brutal "this doesn't protect you from ..." statement.

Native mobile clients where the default experience is likely to be not to spawn a browser for the interaction are going to be a real problem too.

Auth servers (I think that's where you get the best control) can do their best to keep track of what clients a user has authenticated and prompt the user on a new client, but it's still up to the user to make sure they're not being lied to, and in practice this is only marginally effective (and tends in fact to slow adoption with a "scary" message, so product type folks don't like it). 


-bill




________________________________
 From: Michael Thomas <mike@mtcc.com>
To: Eran Hammer-Lahav <eran@hueniverse.com> 
Cc: oauth WG <oauth@ietf.org>; Barry Leiba <barryleiba@computer.org> 
Sent: Wednesday, January 4, 2012 4:39 PM
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
 
On 01/04/2012 04:05 PM, Eran Hammer-Lahav wrote:
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Michael Thomas
>> Sent: Wednesday, January 04, 2012 3:40 PM
>> My concern is that putting on a veneer of "security" will lull people into
>> thinking "Oh, it's safe to enter my credentials here because this is really
>> twitterbook, not evilapp!". When I had to ask them directly to put their
>> twitterbook credentials into my app, there at least wasn't any confusion that
>> I had access to them.
> This is ridiculous (e.g. the fact we are still discussing this).
>
> First, end users know nothing about security or OAuth. Second, evil apps can create this veneer of security by faking a redirection flow with or without OAuth. Suggesting that OAuth (which is a de-facto web pattern for over a decade) makes anything worse is patently false.
>
> The only thing we can possibly add to the threat model document is to mention that "OAuth does not provide any protection against malicious applications and that the end user is solely responsible for the trustworthiness of any native application installed". That is accurate (and completely obvious to the target audience of this document). It is not very helpful but if it will make you feel better (since no one else here seems to share your concerns), I have no objection to such one line added.
>
> And again, to highlight the absurdity of your security claim, it is equally important to warn developers in earthquake-prone countries to put enough distance between the Approve and Deny buttons so that the user will not accidentally hit Approve during a tremor.
>

It's this kind of hostility and ad hominem that leads me to believe that
you have forgotten some of your lessons in charm school.

For one, I am not the only one and even if I were that would still not be
a reason to shoot the messenger. Secondly it is *not* the sole responsibility
of the end user: the authentication server absolutely has a part to play
here too. They have to give out client keys, after all, and its their service
that could be hacked. So they have as much if not more responsibility
than the end user.

So to Bill's request here is the text I would propose.

"Native apps, not limited to, but including apps which are available on popular
mobile app stores, have the potential for gaining access to the end user's credentials.
This can be accomplished by gaining access to browser UI components and key logging,
spoofing the look and feel of an authentication server's authentication page, and
potentially many other social engineering attacks. The potential for these attacks
exist in many existing OAUTH2 deployments including but not limited to Facebook
and Twitter.

Given these threats, authentication servers MUST NOT give clients access
to authentication services -- and by extension to resource services -- unless the
authentication service can thoroughly vet the trustworthiness of the client. How
that vetting is achieved is outside of the scope of this document, but the current
practice of freely giving client keys to any would-be OAUTH client is not sufficient."

Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email