IETF Logo Mail Archive

Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)

Eran Hammer-Lahav <eran@hueniverse.com> Thu, 18 August 2011 17:32 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03BB521F8B04 for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 10:32:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Level:
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhNab7YfDHpA for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 10:32:15 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 6C09F21F8AFE for <oauth@ietf.org>; Thu, 18 Aug 2011 10:32:15 -0700 (PDT)
Received: (qmail 10102 invoked from network); 18 Aug 2011 17:33:09 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 18 Aug 2011 17:33:09 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Thu, 18 Aug 2011 10:32:56 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Niv Steingarten <nivstein@gmail.com>
Date: Thu, 18 Aug 2011 10:31:39 -0700
Thread-Topic: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)
Thread-Index: AcxdyoCcbQN55M78QPCioZff6BEUegAAMTew
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72345029DFAA5B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <b7df18688b7612cb85418ed587b80044@lodderstedt-online.de> <90C41DD21FB7C64BB94121FBBC2E72345029DFA960@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuoYO5NJrGNAHJsHennt_si+DTdA0QuLps8UBvMb=aLVoA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345029DFAA22@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CACEVmuoJR2yFBBzjqT4nbGt28PDu4yFEYTnV9c893FAAuqvT+g@mail.gmail.com>
In-Reply-To: <CACEVmuoJR2yFBBzjqT4nbGt28PDu4yFEYTnV9c893FAAuqvT+g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2011 17:32:16 -0000


> -----Original Message-----
> From: Niv Steingarten [mailto:nivstein@gmail.com]
> Sent: Thursday, August 18, 2011 10:16 AM
> To: Eran Hammer-Lahav
> Cc: Torsten Lodderstedt; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation)
> 
> (thanks for the typo correction)
> 
> Yes, the example I provided is a very lightweight one which does take the
> form of CSRF, but it is only the simplest example of a family of automated
> authorization flow attacks. Indeed, a nonce (or hidden token, both serve the
> same purpose in this case) would be enough here.

Great. So we need to add explicit text about preventing CSRF attacks at the authorization endpoint.

> If the client is not user-agent based, a full-fledged forgery of the whole
> process is possible, one in which CORS and sandboxes have no meaning. In a
> native client, unless some kind of human test is performed, the whole flow
> could be spoofed.

Can you provide another example with the same level of detail as you provided below?

> A CAPTCHA and/or password entry are not bullet-proof,
> but they provide a steep obstacle for the attacker.

CAPTCHA and password entry are two completely difference measures and are rarely interchangeable. CAPTCHA does nothing more than increase the likelihood that the entity on the other side is a human. Any attack prevented by CAPTCHA must be one in which automation and speed are crucial. I still don't understand what it *solves*.

> Another option would be,
> for example, to email the resource owner an OTP, with the following
> message "The application [...] requests access to [...]. Please use the number
> XXXX to allow it access etc..." (similar to Google's and Facebook's two-step
> sign-in).

Two-factor authentication is good, but completely impractical for most web authorization scenario. You need to remember that the authorization page is used for both the initial grant, but also for delegated login (by far a more frequent use). An access token can be issued almost automatically if the client has been previously authorized.

> The first attack described in my previous message takes the form of CSRF,
> while the above one may be bypassed by an attacker with the help of some
> sort of clickjacking or similar. Eventually this threat description is for a family
> of attacks which mimic the behavior of the resource owner in order to gain
> access to protected resources, and some possible countermeasures.

I don't understand this "family of attacks".

EHL

v2.23.0 | Report a Bug | By Email