IETF Logo Mail Archive

Re: [OAUTH-WG] Mix-Up and CnP/ Code injection

Nat Sakimura <sakimura@gmail.com> Tue, 17 May 2016 06:37 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CC5A12D596 for <oauth@ietfa.amsl.com>; Mon, 16 May 2016 23:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wD9SDcDy05hp for <oauth@ietfa.amsl.com>; Mon, 16 May 2016 23:37:54 -0700 (PDT)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5211112D0CD for <oauth@ietf.org>; Mon, 16 May 2016 23:37:54 -0700 (PDT)
Received: by mail-qk0-x230.google.com with SMTP id n63so3439931qkf.0 for <oauth@ietf.org>; Mon, 16 May 2016 23:37:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=exlSHmfhZoxEqOce24RoHrrl0rLRhp4vr9PLiqFNaIs=; b=JjfKb5ohT7AW0eGg1BXN5v1a1Vr7VjluYfMZ5a3HdH1UrwcXFsocUZYIn4+7OMaEbE tB1S/xQqQZsvkatb7HeQKdkQDp3tycq/9ZsMPYltkVDvhtcm2wueKvTz6ukx/PwNaxx+ fu3zjXcIBVUf/kmPUpFNO/NGBEvR4gleGLvlR+oyinxG6x6UceJKbaaChd59C9Nz5WlY TN6gV0af2sbLZIT4Cbqx4WNsvcw3hqnEvpXw4w9W+BXBXMde8+aFh86HFK4AdTu+ZOMy bs2DhedhIV4FF7BCjdwS2tIXuSUV5KD30SgsPD9lVdcJZtceEBr+PQjPXSKxzF8z2g1b HCLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=exlSHmfhZoxEqOce24RoHrrl0rLRhp4vr9PLiqFNaIs=; b=K6ZbtuR+EjsYG+9yH0CbgOlD69LIQxOd9vZIR4ep2Kf5jxjwNOpwiC1SZttg0LcN4A 26QxWGDD0F68OZIFuDWpT0qeeqvuvgCo7BEF+SRGsknc0c0dcALmoEAakNK0Hm6HJSa5 i5b8I0rYng0x+gOl5nsiQqZlF8PB2iT9ziKs8EcWcAqd3PT3Bq+lLdTrsNT1/P600IyX X6ziHcMdyw3qBiwhr1V/gHxX5Q3wLrw0M7mv7tlDSOlJbYbDRH3yvA1oNDB8a8rtY3Jm hlaZTLPas1taGiObhDF6fBat52Mi2fV8VLs+tSpUZ0BTpg4Ww+ShIi/oa8/utEz60uAD wNHA==
X-Gm-Message-State: AOPr4FVWXa15bfDgVDJ0f+SKpSxAd6T0+DZ0BsUH3AZxJE5zblfhqZ7eTEdc+DofGfI5/27y31vglYf6srm4qg==
X-Received: by 10.55.75.144 with SMTP id y138mr34723511qka.96.1463467073430; Mon, 16 May 2016 23:37:53 -0700 (PDT)
MIME-Version: 1.0
References: <571B60BA.8090301@lodderstedt.net> <572B56BB.9080903@uni-trier.de> <CABzCy2DB8yy9yJBzjEKmLu5gHf=ZPsnj20=iBV2JkbeY9VLu9A@mail.gmail.com> <57319A8C.3070408@uni-trier.de> <CAE14AB3-7A68-4F2A-B73D-FC98DBBBEE96@adobe.com>
In-Reply-To: <CAE14AB3-7A68-4F2A-B73D-FC98DBBBEE96@adobe.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 17 May 2016 06:37:43 +0000
Message-ID: <CABzCy2Bnn8azH6FMAv8iPA9n3=dR5XmE62Xgj30nQNQ-4Ycx8Q@mail.gmail.com>
To: Antonio Sanso <asanso@adobe.com>, Daniel Fett <fett@uni-trier.de>
Content-Type: multipart/alternative; boundary="001a114a80780d6bc9053303fb7a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ei0Fa3qm7GcUSmaHfYDsXUaMCd4>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mix-Up and CnP/ Code injection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 06:37:56 -0000

We knew that's a bad practice and causes woes that OIDC mandated exact
match before the completion of OAuth. I wish we have insisted more on it.
Oh, well.
On Tue, May 17, 2016 at 15:34 Antonio Sanso <asanso@adobe.com> wrote:

> hi,
>
> FWIW Facebook is not the only one here.
> Many OAuth provider do not do exact matching redirect uri validation.
> Github for example is another….
>
> regards
>
> antonio
>
> On May 10, 2016, at 10:23 AM, Daniel Fett <fett@uni-trier.de> wrote:
>
> It does not work if the AS does not check the redirect URI completely.
> Facebook being the main example here, and I guess they won't change this
> soon (for backwards compatibility). Adding the iss parameter won't break
> things.
>
> -Daniel
>
> Am 09.05.2016 um 05:45 schrieb Nat Sakimura:
>
> Hi Daniel,
>
> May I ask again why separate redirect uri would not work for mix-up?
> (I know, it does not work for cut-n-paste.)
>
> Thanks,
>
> Nat
>
> 2016年5月5日(木) 23:28 Daniel Fett <fett@uni-trier.de
> <mailto:fett@uni-trier.de <fett@uni-trier.de>>>:
>
>    Am 23.04.2016 um 13:47 schrieb Torsten Lodderstedt:
>
> I'm very much interested to find a solution within the OAuth realm as
> I'm not interested to either implement two solutions (for OpenId
>
>    Connect
>
> and OAuth) or adopt a OpenId-specific solution to OAuth (use id!
>
>    tokens
>
> in the front channel). I therefore would like to see progress and
> propose to continue the discussion regarding mitigations for both
>
>    threats.
>
>
> https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00
> proposes reasonable mitigations for both attacks. There are
>
>    alternatives
>
> as well:
> - mix up:
> -- AS specific redirect uris
> -- Meta data/turi
> (https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5)
> - CnP:
> -- use of the nonce parameter (as a distinct mitigation beside
>
>    state for
>
> counter XSRF)
>
>
> From our formal analysis of OAuth we are pretty confident that the
>
>    mitigation proposed in draft-ietf-oauth-mix-up-mitigation-00 should be
>    sufficient against the Mix-Up attack.
>
>    Cheers,
>    Daniel
>
>
>    --
>    Informationssicherheit und Kryptografie
>    Universität Trier - Tel. 0651 201 2847 - H436
>
>    _______________________________________________
>    OAuth mailing list
>    OAuth@ietf.org <mailto:OAuth@ietf.org <OAuth@ietf.org>>
>    https://www.ietf.org/mailman/listinfo/oauth
>
> --
> Nat Sakimura
> Chairman of the Board, OpenID Foundation
> Trustee, Kantara Initiative
>
>
>
> --
> Informationssicherheit und Kryptografie
> Universität Trier - Tel. 0651 201 2847 - H436
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
Nat Sakimura
Chairman of the Board, OpenID Foundation
Trustee, Kantara Initiative

v2.23.0 | Report a Bug | By Email