Re: [OAUTH-WG] Mix-Up and CnP/ Code injection
Antonio Sanso <asanso@adobe.com> Tue, 17 May 2016 06:34 UTC
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B24DC12D59B for <oauth@ietfa.amsl.com>; Mon, 16 May 2016 23:34:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y9W-V57jKXOL for <oauth@ietfa.amsl.com>; Mon, 16 May 2016 23:34:25 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0054.outbound.protection.outlook.com [65.55.169.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EABB212D597 for <oauth@ietf.org>; Mon, 16 May 2016 23:34:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6P8jGHdMGHOTOMPnl1cefd9pkSteLR0GjnUijJQj0x8=; b=Q1H9uqjjmwi4RLE55AzQhvUd5ka/AH1mY92OU+R0l99DmKAVVwQumINGopt4iZOyclWTJgtPhFPCp5wn2yBSB+65a36SUDeUABEpi877Z2aiuGr/IvkeGf6WN+5WwIwuDngVEzE0rybiS5DVQHHkRJcLAGa9FaQdkQtAS6LUyIA=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1031.namprd02.prod.outlook.com (10.161.203.149) with Microsoft SMTP Server (TLS) id 15.1.492.11; Tue, 17 May 2016 06:34:20 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0492.020; Tue, 17 May 2016 06:34:20 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Daniel Fett <fett@uni-trier.de>
Thread-Topic: [OAUTH-WG] Mix-Up and CnP/ Code injection
Thread-Index: AQHRnVXh+NWK213hKUa/D+/PVehh55+qd/GAgAWXtgCAAeAwAIAK4dqA
Date: Tue, 17 May 2016 06:34:20 +0000
Message-ID: <CAE14AB3-7A68-4F2A-B73D-FC98DBBBEE96@adobe.com>
References: <571B60BA.8090301@lodderstedt.net> <572B56BB.9080903@uni-trier.de> <CABzCy2DB8yy9yJBzjEKmLu5gHf=ZPsnj20=iBV2JkbeY9VLu9A@mail.gmail.com> <57319A8C.3070408@uni-trier.de>
In-Reply-To: <57319A8C.3070408@uni-trier.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: uni-trier.de; dkim=none (message not signed) header.d=none;uni-trier.de; dmarc=none action=none header.from=adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [77.73.244.218]
x-ms-office365-filtering-correlation-id: e7cd0ceb-5456-47e2-6464-08d37e1d4785
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1031; 5:pLyC0E98qN/D4jWX7LQ2cC6f1iTh0EAm9u2FTJlyKa6qx7YljqrTa6Zc0Dl/ow1sKsvOZkhsQYC+b7wLj2scFXXcEk4OL7eLcy4UuDN0kj7IqkeIVw2TESPnDtaXyCjYtFmrknJEluEkNUxVIGs1aQ==; 24:StEtpfSbr+cm1i5/Z0u57M6cz9I9P9PhdZGRF0U0jyobvp6mpmr15lwN1Cje6sG1Mm1xQBnGc8p/cGo1qUD/cX4NrWYbV7Pc3h5y9VwgsEA=; 7:wDHKEmJ0w7PzRzs9s5soJ8Z3X4Hb3MU+z/MOKRlzn7evRDQ2AvodA+0ioiKt/5750v8Ogo0PGQB/6frxKT82wT/b7zxK+Vb0mCSl5SRSBi/o2ILqb7DKxMFn+LIXgP0m/ADcRpw0OlwA3gjjallRveNEztBg7x4fBxxYgENdKIU3Hf1cJAPFGKW0BLDuJggI
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0201MB1031;
x-microsoft-antispam-prvs: <BY1PR0201MB10317941B849D810DEC87187D9480@BY1PR0201MB1031.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:BY1PR0201MB1031; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1031;
x-forefront-prvs: 0945B0CC72
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(377454003)(24454002)(2906002)(81166006)(5004730100002)(93886004)(82746002)(4326007)(54356999)(77096005)(66066001)(5002640100001)(16236675004)(99286002)(122556002)(87936001)(83716003)(11100500001)(10400500002)(8936002)(106116001)(10090500001)(5008740100001)(8676002)(92566002)(19617315012)(2950100001)(189998001)(6116002)(102836003)(1220700001)(2900100001)(3846002)(15975445007)(586003)(76176999)(36756003)(86362001)(19580395003)(19580405001)(50986999)(33656002)(110136002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1031; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CAE14AB37A684F2AB73DFC98DBBBEE96adobecom_"
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 May 2016 06:34:20.7353 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1031
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/iw1oWHEKAtcDxXrUHgtqJd6hRlg>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mix-Up and CnP/ Code injection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 06:34:28 -0000
hi, FWIW Facebook is not the only one here. Many OAuth provider do not do exact matching redirect uri validation. Github for example is another…. regards antonio On May 10, 2016, at 10:23 AM, Daniel Fett <fett@uni-trier.de<mailto:fett@uni-trier.de>> wrote: It does not work if the AS does not check the redirect URI completely. Facebook being the main example here, and I guess they won't change this soon (for backwards compatibility). Adding the iss parameter won't break things. -Daniel Am 09.05.2016 um 05:45 schrieb Nat Sakimura: Hi Daniel, May I ask again why separate redirect uri would not work for mix-up? (I know, it does not work for cut-n-paste.) Thanks, Nat 2016年5月5日(木) 23:28 Daniel Fett <fett@uni-trier.de<mailto:fett@uni-trier.de> <mailto:fett@uni-trier.de>>: Am 23.04.2016 um 13:47 schrieb Torsten Lodderstedt: I'm very much interested to find a solution within the OAuth realm as I'm not interested to either implement two solutions (for OpenId Connect and OAuth) or adopt a OpenId-specific solution to OAuth (use id! tokens in the front channel). I therefore would like to see progress and propose to continue the discussion regarding mitigations for both threats. https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00 proposes reasonable mitigations for both attacks. There are alternatives as well: - mix up: -- AS specific redirect uris -- Meta data/turi (https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5) - CnP: -- use of the nonce parameter (as a distinct mitigation beside state for counter XSRF) From our formal analysis of OAuth we are pretty confident that the mitigation proposed in draft-ietf-oauth-mix-up-mitigation-00 should be sufficient against the Mix-Up attack. Cheers, Daniel -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436 _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura Chairman of the Board, OpenID Foundation Trustee, Kantara Initiative -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436 _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Mix-Up and CnP/ Code injection Torsten Lodderstedt
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Torsten Lodderstedt
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection John Bradley
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection torsten
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection John Bradley
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Justin Richer
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Torsten Lodderstedt
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection William Denniss
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Dominick Baier
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Brian Campbell
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Daniel Fett
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection torsten
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection torsten
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Daniel Fett
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Antonio Sanso
- Re: [OAUTH-WG] Mix-Up and CnP/ Code injection Nat Sakimura