Re: [OAUTH-WG] client embedded browsers (was: I-D Action: draft-ietf-oauth-v2-threatmodel-01.txt)

Michael Thomas <> Thu, 15 December 2011 17:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 96ED721F84A3 for <>; Thu, 15 Dec 2011 09:43:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HYLKzWa9Il1y for <>; Thu, 15 Dec 2011 09:43:23 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A063521F8467 for <>; Thu, 15 Dec 2011 09:43:23 -0800 (PST)
Received: from ( []) (authenticated bits=0) by (8.14.3/8.14.3) with ESMTP id pBFHhI2u009030 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 15 Dec 2011 09:43:18 -0800
Message-ID: <>
Date: Thu, 15 Dec 2011 09:43:18 -0800
From: Michael Thomas <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20090605 Thunderbird/ Mnenhy/
MIME-Version: 1.0
To: Mark Mcgloin <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5904; t=1323971000; x=1324835000; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;;; z=From:=20Michael=20Thomas=20<> |Subject:=20Re=3A=20[OAUTH-WG]=20client=20embedded=20browse rs=20(was=3A=20I-D=20Action=3A=09draft-ietf-oauth-v2-threatm odel-01.txt) |Sender:=20 |To:=20Mark=20Mcgloin=20<> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=TdDU43iX5NbMhx2T5c2KkrzeA0mG96pdAt0FZ7J+Ovw=; b=Y33RImUxZSMppaDfn0nguPPSIrvG4cSvI7XG+dbMqdt9UZNioBULF/gysr KzpP/Sk4z1N31Qv6tRa8SEITJNxYCxFsE8eNKd8B/sZA/6vOsaSjt8Z/b2Ma iVJFyBZzp1ln+9eyWhoIMm0LZ5VGXe4ST/4hFBEP6KGCQGFWqMDNk=;
Authentication-Results: ; v=0.1; dkim=pass ( sig from verified; ); dkim-asp=pass
Cc: OAuth WG <>
Subject: Re: [OAUTH-WG] client embedded browsers (was: I-D Action: draft-ietf-oauth-v2-threatmodel-01.txt)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 15 Dec 2011 17:43:24 -0000

On 12/15/2011 09:32 AM, Mark Mcgloin wrote:
> Hi Michael
> We reviewed the threat model document in light of the concerns you raised
> (originally in a thread called "Problem Statement") and decided that we
> already provided enough information on threats and countermeasures from
> malicious applications.
> In addition, the consensus from the Oauth WG on that email thread ("Problem
> Statement") was that the issue of users installing malware or any malicious
> client is not an oauth specific problem and is not something we need to
> educate users on, over and above what is stated already in section 4.1.4 of
> the threat model. Based on that consensus, I would consider this issue
> closed and we will not be making any changes to the threat model

Excuse me, but I was told that my comments would be better
addressed in the threats document, and now you tell me that
you can't be bothered to address them in the threats document
either. I find this completely dismissive of the real life problems
that this protocol will face.

This *is* an OAUTH specific problem because OAUTH is being
deployed massively into the threat environment it claims to
protect against. It doesn't protect them, and as far as I can
see there is nothing but hand waving dismissal rather than
advice about how to deal with the problem. The bad guys
don't care about your head-in-sand dismissal, and the
reemergence native apps are a fact of life now.


> Regards
> Mark McGloin
> On Wed, 26 Oct 2011 13:17:58 , "Michael Thomas"<mike at>  wrote:
> First, I think that this threat should be elevated to something more than
> a threat because it is a fundamental assumption of the protocol that the
> browser is trustworthy. I have heard far too many people on this list say
> that that's silly because it is "obvious" but it is not obvious to the
> uninitiated, who are the remaining 7*10^9-100 people in this world.
> Second, I think it's worth explicitly pointing out that this PERTAINS TO
> too. The world has changed significantly since OAUTH was conceived, and
> native phone, etc apps continue to grow explosively after a long, long
> decline leading up to OAUTH's birth. I would venture to say that a sizable
> if not majority of uses of OAUTH will be in app settings.
> A few inline comments:
> 4.1.4.  Threat: End-user credentials phished using compromised or
>          embedded browser
>     A malicious application could attempt to phish end-user passwords by
>     misusing an embedded browser in the end-user authorization process,
>     or by presenting its own user-interface instead of allowing trusted
>     system browser to render the authorization user interface.  By doing
>     so, the usual visual trust mechanisms may be bypassed (e.g.  TLS
>     confirmation, web site mechanisms).  By using an embedded or internal
>     client application user interface, the client application has access
>     to additional information it should not have access to (e.g. uid/
>     password).
> [mat] I think it's also worth mentioning either here, or in another
> threat that there is a further social engineering misuse/attack where an
> app offers/demands to keep your credentials so that you don't have to go
> through the authorization rigmarole. Users are already conditioned to
> give their credentials up to do things -- just this morning I noticed
> facebook
> asking for my email password which they promise with sugar on top to not
> store. It might be worth mentioning that things like CAPTCHA could be
> deployed to defend against that sort of attack/misuse.
>     Impact: If the client application or the communication is
>     compromised, the user would not be aware and all information in the
>     authorization exchange could be captured such as username and
>     password.
>     Countermeasures:
>     o  Client developers and end-user can be educated to trust an
>        external System-Browser only.
> [mat] I assume that this is in here just for the amusement factor because
> it is not a credible countermeasure.
>     o  Client applications could be validated prior publication in a
>        application market.
> [mat] How would this be done in practice?
>     o  Client developers should not collect authentication information
>        directly from users and should instead use redirects to and back
>        from a trusted external system-browser.
> [mat] How would the resource/authentication server enforce such a thing?
> The main problem here is that the countermeasures -- if they are practical
> at all --
> are deep and complex problems unto themselves. To just handwave them away
> does
> no justice to the seriousness of the threat. I realize that this strays
> more
> into BCP land but there isn't any B-C-P, and I'm not terribly convinced
> there ever will be. In that respect, I think this threat and its potential
> countermeasures need to be discussed in much more detail. If there is
> anything
> about OAUTH that will cause it to be junked, it's this threat.
> Mike
> ----------------------------------------------------------------------------------------------------
> Mark McGloin
> e-mail:
> Tel: +353 1 8155263
> Mobile: +353 87 9932662
> Security Architect, LotusLive and Cloud Business Support Systems
> IBM Software Group
> Building 6, IBM Technology campus, Damastown Industrial Estate, Mulhuddart,
> Dublin 15
> IBM International Holdings BV registered in Ireland with number 903924.
> Registered office: Oldbrook House, 24-32 Pembroke Road, Ballsbridge, Dublin
> 4
> _______________________________________________
> OAuth mailing list