Re: [OAUTH-WG] Mix-Up and CnP/ Code injection
Nat Sakimura <sakimura@gmail.com> Tue, 17 May 2016 06:37 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CC5A12D596 for <oauth@ietfa.amsl.com>; Mon, 16 May 2016 23:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wD9SDcDy05hp for <oauth@ietfa.amsl.com>; Mon, 16 May 2016 23:37:54 -0700 (PDT)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5211112D0CD for <oauth@ietf.org>; Mon, 16 May 2016 23:37:54 -0700 (PDT)
Received: by mail-qk0-x230.google.com with SMTP id n63so3439931qkf.0 for <oauth@ietf.org>; Mon, 16 May 2016 23:37:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=exlSHmfhZoxEqOce24RoHrrl0rLRhp4vr9PLiqFNaIs=; b=JjfKb5ohT7AW0eGg1BXN5v1a1Vr7VjluYfMZ5a3HdH1UrwcXFsocUZYIn4+7OMaEbE tB1S/xQqQZsvkatb7HeQKdkQDp3tycq/9ZsMPYltkVDvhtcm2wueKvTz6ukx/PwNaxx+ fu3zjXcIBVUf/kmPUpFNO/NGBEvR4gleGLvlR+oyinxG6x6UceJKbaaChd59C9Nz5WlY TN6gV0af2sbLZIT4Cbqx4WNsvcw3hqnEvpXw4w9W+BXBXMde8+aFh86HFK4AdTu+ZOMy bs2DhedhIV4FF7BCjdwS2tIXuSUV5KD30SgsPD9lVdcJZtceEBr+PQjPXSKxzF8z2g1b HCLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=exlSHmfhZoxEqOce24RoHrrl0rLRhp4vr9PLiqFNaIs=; b=K6ZbtuR+EjsYG+9yH0CbgOlD69LIQxOd9vZIR4ep2Kf5jxjwNOpwiC1SZttg0LcN4A 26QxWGDD0F68OZIFuDWpT0qeeqvuvgCo7BEF+SRGsknc0c0dcALmoEAakNK0Hm6HJSa5 i5b8I0rYng0x+gOl5nsiQqZlF8PB2iT9ziKs8EcWcAqd3PT3Bq+lLdTrsNT1/P600IyX X6ziHcMdyw3qBiwhr1V/gHxX5Q3wLrw0M7mv7tlDSOlJbYbDRH3yvA1oNDB8a8rtY3Jm hlaZTLPas1taGiObhDF6fBat52Mi2fV8VLs+tSpUZ0BTpg4Ww+ShIi/oa8/utEz60uAD wNHA==
X-Gm-Message-State: AOPr4FVWXa15bfDgVDJ0f+SKpSxAd6T0+DZ0BsUH3AZxJE5zblfhqZ7eTEdc+DofGfI5/27y31vglYf6srm4qg==
X-Received: by 10.55.75.144 with SMTP id y138mr34723511qka.96.1463467073430; Mon, 16 May 2016 23:37:53 -0700 (PDT)
MIME-Version: 1.0
References: <571B60BA.8090301@lodderstedt.net> <572B56BB.9080903@uni-trier.de> <CABzCy2DB8yy9yJBzjEKmLu5gHf=ZPsnj20=iBV2JkbeY9VLu9A@mail.gmail.com> <57319A8C.3070408@uni-trier.de> <CAE14AB3-7A68-4F2A-B73D-FC98DBBBEE96@adobe.com>
In-Reply-To: <CAE14AB3-7A68-4F2A-B73D-FC98DBBBEE96@adobe.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 17 May 2016 06:37:43 +0000
Message-ID: <CABzCy2Bnn8azH6FMAv8iPA9n3=dR5XmE62Xgj30nQNQ-4Ycx8Q@mail.gmail.com>
To: Antonio Sanso <asanso@adobe.com>, Daniel Fett <fett@uni-trier.de>
Content-Type: multipart/alternative; boundary="001a114a80780d6bc9053303fb7a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ei0Fa3qm7GcUSmaHfYDsXUaMCd4>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mix-Up and CnP/ Code injection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 06:37:56 -0000
We knew that's a bad practice and causes woes that OIDC mandated exact match before the completion of OAuth. I wish we have insisted more on it. Oh, well. On Tue, May 17, 2016 at 15:34 Antonio Sanso <asanso@adobe.com> wrote: > hi, > > FWIW Facebook is not the only one here. > Many OAuth provider do not do exact matching redirect uri validation. > Github for example is another…. > > regards > > antonio > > On May 10, 2016, at 10:23 AM, Daniel Fett <fett@uni-trier.de> wrote: > > It does not work if the AS does not check the redirect URI completely. > Facebook being the main example here, and I guess they won't change this > soon (for backwards compatibility). Adding the iss parameter won't break > things. > > -Daniel > > Am 09.05.2016 um 05:45 schrieb Nat Sakimura: > > Hi Daniel, > > May I ask again why separate redirect uri would not work for mix-up? > (I know, it does not work for cut-n-paste.) > > Thanks, > > Nat > > 2016年5月5日(木) 23:28 Daniel Fett <fett@uni-trier.de > <mailto:fett@uni-trier.de <fett@uni-trier.de>>>: > > Am 23.04.2016 um 13:47 schrieb Torsten Lodderstedt: > > I'm very much interested to find a solution within the OAuth realm as > I'm not interested to either implement two solutions (for OpenId > > Connect > > and OAuth) or adopt a OpenId-specific solution to OAuth (use id! > > tokens > > in the front channel). I therefore would like to see progress and > propose to continue the discussion regarding mitigations for both > > threats. > > > https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00 > proposes reasonable mitigations for both attacks. There are > > alternatives > > as well: > - mix up: > -- AS specific redirect uris > -- Meta data/turi > (https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5) > - CnP: > -- use of the nonce parameter (as a distinct mitigation beside > > state for > > counter XSRF) > > > From our formal analysis of OAuth we are pretty confident that the > > mitigation proposed in draft-ietf-oauth-mix-up-mitigation-00 should be > sufficient against the Mix-Up attack. > > Cheers, > Daniel > > > -- > Informationssicherheit und Kryptografie > Universität Trier - Tel. 0651 201 2847 - H436 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org <OAuth@ietf.org>> > https://www.ietf.org/mailman/listinfo/oauth > > -- > Nat Sakimura > Chairman of the Board, OpenID Foundation > Trustee, Kantara Initiative > > > > -- > Informationssicherheit und Kryptografie > Universität Trier - Tel. 0651 201 2847 - H436 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura Chairman of the Board, OpenID Foundation Trustee, Kantara Initiative
- [OAUTH-WG] Mix-Up and CnP/ Code injection Torsten Lodderstedt
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Torsten Lodderstedt
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection John Bradley
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection torsten
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection John Bradley
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Justin Richer
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Torsten Lodderstedt
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection William Denniss
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Dominick Baier
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Brian Campbell
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Daniel Fett
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection torsten
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection torsten
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Daniel Fett
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Antonio Sanso
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura