IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Michael Thomas <mike@mtcc.com> Tue, 06 September 2011 20:35 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FF3F21F8EA3 for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 13:35:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RaCpR+Wj6Gxb for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 13:35:03 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id D5B6421F8E96 for <oauth@ietf.org>; Tue, 6 Sep 2011 13:35:03 -0700 (PDT)
Received: from piolinux.mtcc.com (65-165-164-246.volcano.net [65.165.164.246]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id p86KanjA014592 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 6 Sep 2011 13:36:50 -0700
Message-ID: <4E66845E.7090906@mtcc.com>
Date: Tue, 06 Sep 2011 13:36:46 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080501)
MIME-Version: 1.0
To: John Kemp <john@jkemp.net>
References: <4E665B25.6090709@mtcc.com> <4E6661FA.7050804@alcatel-lucent.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net>
In-Reply-To: <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2223; t=1315341411; x=1316205411; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20problem=20statement |Sender:=20 |To:=20John=20Kemp=20<john@jkemp.net> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=8Inc4zvizFSsimmBfVYenlv8ERA4tWCEPlVron7XXWI=; b=O75OPcTc6hcpsCT94/TQGi+xsky6kzGg/x47MAw3x21GfG3Shay10VrNFo 5VfSMZOt5FAxgkWt/rNEw3lJsG/BqlI6saZDQvbcnDXav6baieiTIVzUzh54 keSHKMRdJvf9S+aXEiftZYLjRdPadHqtZx4bwGVeOPXAEeZbHMhcU=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2011 20:35:04 -0000

John Kemp wrote:
>> I can tell you from experience that Android absolutely doesn't check anything of this
>> sort, and it would take extremely deep voodoo for Apple to do the same: they never see
>> source.
> 
> I believe that both Apple and Google *do attempt* to prevent malware from getting into their stores. 

No, seriously, they don't. Google has no review process at all, just a kill switch after the fact.
Apple doesn't have source, so the amount of testing they can do is limited, and is about 99 & 44/100%
marketing hype in any case.

>>> But I'm being told that use cases aren't the problem of oauth. I'd say that
>>>> there has all along been a hidden assumption that the browser was
>>>> a trusted entity.
>>> The point is simply that if you can subvert the actual platform, then OAuth problems are the least of your worries (as a user).
>> People keep saying that to deflect criticism, but I don't buy it. Other protocols aren't
>> availing an attacker to user credentials to third party servers by simply snooping on the
>> webview key traffic in an otherwise completely normal use pattern.
> 
> HTTP Auth? Web form login? 

When an app asks for your login credentials, it looks like the app itself asking
if it's on the up and up. With OAuth, it looks like it's twitter, or facebook,
or whichever trusted service you're logging into. That's why I say that this situation
is worse: as a user, I have no idea which apps are good and which are sending your
credentials to a broker in Romania. At least I have some clue that it *might* do
that in the first case, but with OAuth I'm being told that that's why it exists
so that I don't *have* to trust that app. Except that I do as it turns out.

>> Have you ever signed on to facebook in an app before?
> 
> Frankly, not too often, no, since these apps usually ask for far more authority than I believe is necessary for the purpose of using the app.

But even if you did it once, how did you know that you didn't reveal your credentials
to a bad guy?

And I'm being told that this isn't even worthy of any mention anywhere? I came
here hoping to hear that the attack wasn't possible, or could be mitigated. Zoicks.

Mike

v2.23.0 | Report a Bug | By Email