Re: [OAUTH-WG] New header "Fragment-Scope" to prevent assertions leakage through redirects
Brian Campbell <bcampbell@pingidentity.com> Mon, 13 April 2015 14:28 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B61991AC3C5 for <oauth@ietfa.amsl.com>; Mon, 13 Apr 2015 07:28:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.878
X-Spam-Level:
X-Spam-Status: No, score=-0.878 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BknNnk-oW0Np for <oauth@ietfa.amsl.com>; Mon, 13 Apr 2015 07:28:38 -0700 (PDT)
Received: from mail-ie0-f174.google.com (na3sys009aog117.obsmtp.com [74.125.149.242]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DC071AC3B6 for <oauth@ietf.org>; Mon, 13 Apr 2015 07:28:37 -0700 (PDT)
Received: from mail-ie0-f174.google.com ([209.85.223.174]) (using TLSv1) by na3sys009aob117.postini.com ([74.125.148.12]) with SMTP ID DSNKVSvSlfoseqtR2YVWIfiAwomZI7cl7nms@postini.com; Mon, 13 Apr 2015 07:28:38 PDT
Received: by iejt8 with SMTP id t8so65822208iej.2 for <oauth@ietf.org>; Mon, 13 Apr 2015 07:28:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=T5eZ7hQAp9ommSx5M+TiIp2KbKcKoe85Diz9CSep+Vs=; b=Lk1ZKY9GVB3lcKTdC4+MFdTYPEsBZ/Zy3bTAZ31hWiH4xfiCeonPCyQQVr20nEjyeX W5hU16W29e2TOyN+WmVBhs6ej549dOvhsQXLgkPj27rsYd0HQCtHCKYMdrD2VK39Z0aF 5ORcTOhAhvjphKMBrs80B9QGDBWprWTBrttoWT5jrhA2oAQJ1u7LDzTeDNxS6L9pRo4X jwSCw78Douzv4KhUe/tY9HRANRN0Et9wVoskcBIrYMRLCw7GP6hlAangNopSqqbmhV8h +PBIXDFmpvvGvkWwRwEiBdbm1xpmTTPVSEoih5RM0kXkJz5nyJhDgf/mbm9llXHOfsTz Rmmg==
X-Gm-Message-State: ALoCoQlwYBK6GSN8/Z/iuUL+SXjIX/eo9x1wvA16KT4+PX1P5qjEFBRvkIqeRYQmVkLBVhds4pFaRW906aXnvhrDGoaFxHeaJTpDvQAq7SyxjKO9uF01Q6aEVUSv6/LaqFIiOYNeBSUk
X-Received: by 10.50.65.40 with SMTP id u8mr7774303igs.40.1428935316767; Mon, 13 Apr 2015 07:28:36 -0700 (PDT)
X-Received: by 10.50.65.40 with SMTP id u8mr7774284igs.40.1428935316610; Mon, 13 Apr 2015 07:28:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.240.15 with HTTP; Mon, 13 Apr 2015 07:28:06 -0700 (PDT)
In-Reply-To: <CAAJG_r9f6Z6hjq696u0wHN9-YvHcyo9SWMLd2aurHqKJtGBEgw@mail.gmail.com>
References: <CAAJG_r9yM0okfWyVm0vMSXrrPJigmGWDoF3VeW8X1f=4Xso_Fg@mail.gmail.com> <A50AE169-85A3-46DE-AA24-8810B36970EA@ve7jtb.com> <CAAJG_r9f6Z6hjq696u0wHN9-YvHcyo9SWMLd2aurHqKJtGBEgw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 13 Apr 2015 08:28:06 -0600
Message-ID: <CA+k3eCSMe0+DTNUJioEjXOYuEnt3eu2+eC2hhM9t4OEr2y5TKg@mail.gmail.com>
To: isciurus <isciurus@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b41417cf4860405139bed84"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/iZH5EVAkQzCjfMuV9qUtvoVRZ5Q>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New header "Fragment-Scope" to prevent assertions leakage through redirects
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2015 14:28:40 -0000
I'm hardly speaking with any authority here but my hope/expectation is that using Origin Only for the Referrer Policy would provide enough info in the referer (the origin) so as to not break search engines flows or other analytics that are using data from the referer header. The referring domain is provided, which is useful data, but without there query or path that often leaks sensitive data or tokens. https://w3c.github.io/webappsec/specs/referrer-policy/ or http://www.w3.org/TR/referrer-policy/ is the work in progress on Referrer Policy. On Fri, Apr 10, 2015 at 5:37 PM, isciurus <isciurus@gmail.com> wrote: > I would also be interested to know about the possible response headers for > referrer (a draft?). Last time we brainstormed the problem with Brad Hill > we thought it could break something with search engines flow and referrer > policy. > > > I have tried to document the response headers that can help stop > leaking referrer. > > On Fri, Apr 10, 2015 at 4:08 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > >> Thanks, >> >> I have tried to document the response headers that can help stop leaking >> referrer. >> >> Being able to do the same thing to stop fragment leaking would be a good >> thing. >> >> If the W3C adds that then I would add it to our recommendations. >> >> In the Interim without browser support we may need to look at other >> methods to pass tokens to clients in the browser. >> >> I am certainly interested in tracking your proposal. >> >> John B. >> >> On Apr 10, 2015, at 4:00 PM, isciurus <isciurus@gmail.com> wrote: >> >> Hi, >> >> One of the recent drafts >> https://tools.ietf.org/id/draft-bradley-oauth-open-redirector-01.html >> was brought to my attention. Regarding the part "2.2. Security Compromise: >> The Authorization Server As Open Redirector": >> >> The legitimate OAuth Authorization response will include an access >> token in the URI fragment. >> Most web browsers will append the fragment to the URI sent in the >> location header of a 302 response if no fragment is included in the >> location URI. >> >> This browser behaviour with a url fragment reattaching is indeed used >> widely in attacks on OAuth (for example, one of the recent on the bitcoin >> exchange >> http://sakurity.com/blog/2015/01/10/hacking-bitcoin-exchanger.html) and >> I am also aware of one attack on OpenID 2 implementation leaking a valid >> signature using the same technique. >> We are trying to propose a browser-level protection from sensitive url >> fragment data reattach on cross-domain redirects: >> http://lists.w3.org/Archives/Public/ietf-http-wg/2015JanMar/0066.html >> A new header in the AS response would also block fragment reattach in the >> following scenario: >> >> https://AUTHORIZATION_SERVER/authorize?response_type=token >> <https://authorization_server/authorize?response_type=token> >> &client_id=good-client&scope=VALID_SCOPE >> &redirect_uri=https%3A%2F%2AUTHORIZATION_SERVER%Fauthorize >> %3Fresponse_type%3Dcode >> %26client_id%3Dattacker-client-id >> %26scope%3DINVALID_SCOPE >> %26redirect_uri%3Dhttps%253A%252F%252Fattacker.com >> >> But it would additionally block exploitation of vulnerable clients which >> have open redirects on their domains and don't whitelist their redirect_uri: >> >> https://AUTHORIZATION_SERVER/authorize?response_type=token >> <https://authorization_server/authorize?response_type=token> >> &client_id=good-client&scope=VALID_SCOPE >> &redirect_uri=https%3A%2F%2good-client.com%Fopen_redirect >> %3Furl%3Dhttps%253A%252F%252Fattacker.com >> >> This can improve the situation with already deployed clients in large >> scale. Let me know if this proposal is interesting to the OAuth WG. >> >> Thanks, >> Andrey >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >