DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com;
 h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type;
 b=gNghri7Kh7+joxxVcl1DJQ+BkGA/YI2hna5+wHER7NrxL5866wMvxSmf6tlTWPEuksLHTWTXFmjz7qs/XJClSTfusqqO6bUR1rzOtSOzZLjBuoHOafgiul8oTxtSns1GEkCuZrUnC8iTWMGe9XNtB4a42CmSUniiY36DUagHQfc=;
References: <CALaySJKhYQQdmjvWBLS3mwzzrDt35jfDn2xZCuDOk=hpwEUiKQ@mail.gmail.com>
 <CAC4RtVDyiuqCGO25nZQEVxi0uchTi2gu_peh=+FwmWwZsQ=LEQ@mail.gmail.com>
 <CAC4RtVCvnz7n9Ei08h7QRruesJ=GeOMOOvBkNAVmcc8_gzg7QQ@mail.gmail.com>
 <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com>
 <OF6C9EBE7C.1B053FE3-ON80257968.003C02DF-80257968.003CAA12@ie.ibm.com>
 <4EEB5BDD.7080401@mtcc.com> <4F038CB9.1040403@mtcc.com>
 <F674B8D6-54D6-4B39-A494-9D7EB6E058D6@oracle.com> <4F0394D6.1090006@mtcc.com>
 <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com>
 <4F04AAAE.6080702@mtcc.com> <4F04ACE4.1070006@stpeter.im>
 <4F04B101.3070708@mtcc.com>
 <OF0587BA9E.B7B40207-ON8025797B.00702BFB-8025797B.007103EA@ie.ibm.com>
 <CALaySJLcFGyt97OVFZY34kZSjp2bKRqiH_JSDQQaO-aTjSWh2g@mail.gmail.com>
 <4F04BF70.3010501@mtcc.com> <4F04CF60.1050000@lodderstedt.net>
 <4F04E362.5070406@mtcc.com>
 <90C41DD21FB7C64BB94121FBBC2E723453A72D09B9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
 <4F04F134.5050409@mtc c.com>
Message-ID: <1325726167.42441.YahooMailNeo@web31813.mail.mud.yahoo.com>
Date: Wed, 4 Jan 2012 17:16:07 -0800 (PST)
From: William Mills <wmills@yahoo-inc.com>
To: Michael Thomas <mike@mtcc.com>, Eran Hammer-Lahav <eran@hueniverse.com>
In-Reply-To: <4F04F134.5050409@mtcc.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="767760015-706396534-1325726167=:42441"
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01,
 ends 9 Dec 2011
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>

--767760015-706396534-1325726167=:42441
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

The below is unfortunately probably a no-go:=0A=0A=0A> Given these threats,=
 authentication servers MUST NOT give clients access=0A> to authentication =
services -- and by extension to resource services -- unless the=0A> authent=
ication service can thoroughly vet the trustworthiness of the client. How=
=0A> that vetting is achieved is outside of the scope of this document, but=
 the current=0A> practice of freely giving client keys to any would-be OAUT=
H client is not sufficient."=0A=0A=0AIt's unfortunately not really a solved=
 problem for widely distributed clients.=A0 I attack this by spoofing a kno=
wn client and the resource server or auth server can't tell the difference.=
=A0 That's why I was falling back to the more brutal "this doesn't protect =
you from ..." statement.=0A=0ANative mobile clients where the default exper=
ience is likely to be not to spawn a browser for the interaction are going =
to be a real problem too.=0A=0AAuth servers (I think that's where you get t=
he best control) can do their best to keep track of what clients a user has=
 authenticated and prompt the user on a new client, but it's still up to th=
e user to make sure they're not being lied to, and in practice this is only=
 marginally effective (and tends in fact to slow adoption with a "scary" me=
ssage, so product type folks don't like it). =0A=0A=0A-bill=0A=0A=0A=0A=0A_=
_______________________________=0A From: Michael Thomas <mike@mtcc.com>=0AT=
o: Eran Hammer-Lahav <eran@hueniverse.com> =0ACc: oauth WG <oauth@ietf.org>=
; Barry Leiba <barryleiba@computer.org> =0ASent: Wednesday, January 4, 2012=
 4:39 PM=0ASubject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-=
01, ends 9 Dec 2011=0A =0AOn 01/04/2012 04:05 PM, Eran Hammer-Lahav wrote:=
=0A>=0A>> -----Original Message-----=0A>> From: oauth-bounces@ietf.org [mai=
lto:oauth-bounces@ietf.org] On Behalf=0A>> Of Michael Thomas=0A>> Sent: Wed=
nesday, January 04, 2012 3:40 PM=0A>> My concern is that putting on a venee=
r of "security" will lull people into=0A>> thinking "Oh, it's safe to enter=
 my credentials here because this is really=0A>> twitterbook, not evilapp!"=
. When I had to ask them directly to put their=0A>> twitterbook credentials=
 into my app, there at least wasn't any confusion that=0A>> I had access to=
 them.=0A> This is ridiculous (e.g. the fact we are still discussing this).=
=0A>=0A> First, end users know nothing about security or OAuth. Second, evi=
l apps can create this veneer of security by faking a redirection flow with=
 or without OAuth. Suggesting that OAuth (which is a de-facto web pattern f=
or over a decade) makes anything worse is patently false.=0A>=0A> The only =
thing we can possibly add to the threat model document is to mention that "=
OAuth does not provide any protection against malicious applications and th=
at the end user is solely responsible for the trustworthiness of any native=
 application installed". That is accurate (and completely obvious to the ta=
rget audience of this document). It is not very helpful but if it will make=
 you feel better (since no one else here seems to share your concerns), I h=
ave no objection to such one line added.=0A>=0A> And again, to highlight th=
e absurdity of your security claim, it is equally important to warn develop=
ers in earthquake-prone countries to put enough distance between the Approv=
e and Deny buttons so that the user will not accidentally hit Approve durin=
g a tremor.=0A>=0A=0AIt's this kind of hostility and ad hominem that leads =
me to believe that=0Ayou have forgotten some of your lessons in charm schoo=
l.=0A=0AFor one, I am not the only one and even if I were that would still =
not be=0Aa reason to shoot the messenger. Secondly it is *not* the sole res=
ponsibility=0Aof the end user: the authentication server absolutely has a p=
art to play=0Ahere too. They have to give out client keys, after all, and i=
ts their service=0Athat could be hacked. So they have as much if not more r=
esponsibility=0Athan the end user.=0A=0ASo to Bill's request here is the te=
xt I would propose.=0A=0A"Native apps, not limited to, but including apps w=
hich are available on popular=0Amobile app stores, have the potential for g=
aining access to the end user's credentials.=0AThis can be accomplished by =
gaining access to browser UI components and key logging,=0Aspoofing the loo=
k and feel of an authentication server's authentication page, and=0Apotenti=
ally many other social engineering attacks. The potential for these attacks=
=0Aexist in many existing OAUTH2 deployments including but not limited to F=
acebook=0Aand Twitter.=0A=0AGiven these threats, authentication servers MUS=
T NOT give clients access=0Ato authentication services -- and by extension =
to resource services -- unless the=0Aauthentication service can thoroughly =
vet the trustworthiness of the client. How=0Athat vetting is achieved is ou=
tside of the scope of this document, but the current=0Apractice of freely g=
iving client keys to any would-be OAUTH client is not sufficient."=0A=0AMik=
e=0A_______________________________________________=0AOAuth mailing list=0A=
OAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oauth
--767760015-706396534-1325726167=:42441
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"color:#000; background-color:#fff; font-family:Co=
urier New, courier, monaco, monospace, sans-serif;font-size:14pt"><div>The =
below is unfortunately probably a no-go:<br></div><div><br></div><div>&gt; =
Given these threats, authentication servers MUST NOT give clients access<br=
>&gt; to authentication services -- and by extension to resource services -=
- unless the<br>&gt; authentication service can thoroughly vet the trustwor=
thiness of the client. How<br>&gt; that vetting is achieved is outside of t=
he scope of this document, but the current<br>&gt; practice of freely givin=
g client keys to any would-be OAUTH client is not sufficient."<br></div><di=
v><br></div><div>It's unfortunately not really a solved problem for widely =
distributed clients.&nbsp; I attack this by spoofing a known client and the=
 resource server or auth server can't tell the difference.&nbsp; That's why=
 I was falling back to the more brutal "this doesn't protect you from
 ..." statement.</div><div><br></div><div>Native mobile clients where the d=
efault experience is likely to be not to spawn a browser for the interactio=
n are going to be a real problem too.</div><div><br></div><div>Auth servers=
 (I think that's where you get the best control) can do their best to keep =
track of what clients a user has authenticated and prompt the user on a new=
 client, but it's still up to the user to make sure they're not being lied =
to, and in practice this is only marginally effective (and tends in fact to=
 slow adoption with a "scary" message, so product type folks don't like it)=
. <br></div><div><br></div><div>-bill</div><div><br></div><div><br></div><d=
iv><br></div>  <div style=3D"font-family: Courier New, courier, monaco, mon=
ospace, sans-serif; font-size: 14pt;"> <div style=3D"font-family: times new=
 roman, new york, times, serif; font-size: 12pt;"> <font face=3D"Arial" siz=
e=3D"2"> <hr size=3D"1">  <b><span style=3D"font-weight:bold;">From:</span>=
</b>
 Michael Thomas &lt;mike@mtcc.com&gt;<br> <b><span style=3D"font-weight: bo=
ld;">To:</span></b> Eran Hammer-Lahav &lt;eran@hueniverse.com&gt; <br><b><s=
pan style=3D"font-weight: bold;">Cc:</span></b> oauth WG &lt;oauth@ietf.org=
&gt;; Barry Leiba &lt;barryleiba@computer.org&gt; <br> <b><span style=3D"fo=
nt-weight: bold;">Sent:</span></b> Wednesday, January 4, 2012 4:39 PM<br> <=
b><span style=3D"font-weight: bold;">Subject:</span></b> Re: [OAUTH-WG] WGL=
C on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011<br> </font> <br>=
=0AOn 01/04/2012 04:05 PM, Eran Hammer-Lahav wrote:<br>&gt;<br>&gt;&gt; ---=
--Original Message-----<br>&gt;&gt; From: <a ymailto=3D"mailto:oauth-bounce=
s@ietf.org" href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</=
a> [mailto:<a ymailto=3D"mailto:oauth-bounces@ietf.org" href=3D"mailto:oaut=
h-bounces@ietf.org">oauth-bounces@ietf.org</a>] On Behalf<br>&gt;&gt; Of Mi=
chael Thomas<br>&gt;&gt; Sent: Wednesday, January 04, 2012 3:40 PM<br>&gt;&=
gt; My concern is that putting on a veneer of "security" will lull people i=
nto<br>&gt;&gt; thinking "Oh, it's safe to enter my credentials here becaus=
e this is really<br>&gt;&gt; twitterbook, not evilapp!". When I had to ask =
them directly to put their<br>&gt;&gt; twitterbook credentials into my app,=
 there at least wasn't any confusion that<br>&gt;&gt; I had access to them.=
<br>&gt; This is ridiculous (e.g. the fact we are still discussing this).<b=
r>&gt;<br>&gt; First, end users know nothing about security or OAuth. Secon=
d,
 evil apps can create this veneer of security by faking a redirection flow =
with or without OAuth. Suggesting that OAuth (which is a de-facto web patte=
rn for over a decade) makes anything worse is patently false.<br>&gt;<br>&g=
t; The only thing we can possibly add to the threat model document is to me=
ntion that "OAuth does not provide any protection against malicious applica=
tions and that the end user is solely responsible for the trustworthiness o=
f any native application installed". That is accurate (and completely obvio=
us to the target audience of this document). It is not very helpful but if =
it will make you feel better (since no one else here seems to share your co=
ncerns), I have no objection to such one line added.<br>&gt;<br>&gt; And ag=
ain, to highlight the absurdity of your security claim, it is equally impor=
tant to warn developers in earthquake-prone countries to put enough distanc=
e between the Approve and Deny buttons so that the user will not
 accidentally hit Approve during a tremor.<br>&gt;<br><br>It's this kind of=
 hostility and ad hominem that leads me to believe that<br>you have forgott=
en some of your lessons in charm school.<br><br>For one, I am not the only =
one and even if I were that would still not be<br>a reason to shoot the mes=
senger. Secondly it is *not* the sole responsibility<br>of the end user: th=
e authentication server absolutely has a part to play<br>here too. They hav=
e to give out client keys, after all, and its their service<br>that could b=
e hacked. So they have as much if not more responsibility<br>than the end u=
ser.<br><br>So to Bill's request here is the text I would propose.<br><br>"=
Native apps, not limited to, but including apps which are available on popu=
lar<br>mobile app stores, have the potential for gaining access to the end =
user's credentials.<br>This can be accomplished by gaining access to browse=
r UI components and key logging,<br>spoofing the look and feel of an
 authentication server's authentication page, and<br>potentially many other=
 social engineering attacks. The potential for these attacks<br>exist in ma=
ny existing OAUTH2 deployments including but not limited to Facebook<br>and=
 Twitter.<br><br>Given these threats, authentication servers MUST NOT give =
clients access<br>to authentication services -- and by extension to resourc=
e services -- unless the<br>authentication service can thoroughly vet the t=
rustworthiness of the client. How<br>that vetting is achieved is outside of=
 the scope of this document, but the current<br>practice of freely giving c=
lient keys to any would-be OAUTH client is not sufficient."<br><br>Mike<br>=
_______________________________________________<br>OAuth mailing list<br><a=
 ymailto=3D"mailto:OAuth@ietf.org" href=3D"mailto:OAuth@ietf.org">OAuth@iet=
f.org</a><br><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=
=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br><br><br>
 </div> </div>  </div></body></html>
--767760015-706396534-1325726167=:42441--