IETF Logo Mail Archive

Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Security Best Current Practice?

Dick Hardt <dick.hardt@gmail.com> Mon, 06 November 2023 17:08 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19FB8C17C8BC for <oauth@ietfa.amsl.com>; Mon, 6 Nov 2023 09:08:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gokMYODm7Im0 for <oauth@ietfa.amsl.com>; Mon, 6 Nov 2023 09:08:07 -0800 (PST)
Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA427C15C29F for <oauth@ietf.org>; Mon, 6 Nov 2023 09:08:07 -0800 (PST)
Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-5a86b6391e9so56770107b3.0 for <oauth@ietf.org>; Mon, 06 Nov 2023 09:08:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699290486; x=1699895286; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=mM3J5BpUq7fkaa0eMorhkPZCzijJMALfHedK2OzXjrQ=; b=elhgLebobz+Beg2EzmuBidhj1u1uLCxGEuBtMmmXb1D+uOiEHydPTC/FYXyrNOFpQp zWzErPjf5AGT95byFnz6xs1B+rYS0cDXcB3YTlC8W3CfMhdP/SjdD5RkrF77KA0qB5B+ 5TCFbSeFJt7feo1HOxsBjJ7ExaDBp7RnttZQz4kWcn6BKJPx+0Vevb26GDV6VmIywP/G 60KbtOHeQwRaxDQT2PKS418/PSCIxTWuxHcdPBd/26xhx+FWM45QgEA8BZiWAvNrlLMk ubYGUByycqYrWXpmNJWXyN9vRONdBS54WaWOKoZgoCX6JuFRleikM0oyJapA64G1vnW/ T44w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699290486; x=1699895286; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mM3J5BpUq7fkaa0eMorhkPZCzijJMALfHedK2OzXjrQ=; b=NV4TuW59VJ59kipxpXAEdVaORNyoKmGtwwqoa80XKa7IndJF+cnsnOic4qyvYipn6v 5NjnWqLvm9eeRWNYCVDvujITYPS/cuBKscsjcpBbRu6xvd8oqVBWADEsWIK04WD/tkld trciuF/1aBInag7LUE3MgXPZb10ftBytSjLtzSCo6HXFtkjp0t5f5kA75cMO1aGFgq0Y kgpfHd+8Z3oTyjGROB09pUJIdCeiNroNAkJDwEZlOsQH0+W9+WMcdlATef4L38MRYDtN 3eXCPPlFrcMFHdQRPYPyrfVoGU8VPVEmITHtElYGNNt0A0KOLBJpxEGOLWlLr8SW3GWT TDzQ==
X-Gm-Message-State: AOJu0Yxt2vDceBOBy9jJCi6NMM+EfHBjibQA+V2DqOGvc6eaF4CwNAyR E00pnA2qEkJ/LQ0Ocx4upgECHSUptHGqPYyfglc=
X-Google-Smtp-Source: AGHT+IEWmWjFZUu6Bn4sv09HZnw35/egjmp1Icg9oIwdH0EwqA/KUg2DZaOSdeI8RxGnHJM1HH2NV4OEMhU9g2Y26r0=
X-Received: by 2002:a05:690c:112:b0:583:741c:5fe6 with SMTP id bd18-20020a05690c011200b00583741c5fe6mr8875617ywb.52.1699290486217; Mon, 06 Nov 2023 09:08:06 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-sh0qnGzg5VwU_enq2Br9hH5zgm86z9i7vdMj_uQs=4yA@mail.gmail.com> <CAGBSGjrMDrXMd2ApKmLn_LVgMSLME-wvHqPCTpzgDxk5_+kRSA@mail.gmail.com> <f6383d62-9586-49c9-a824-9d92288ee4bd@danielfett.de> <CAGBSGjqe2HjJuh6OgJy5VU+w8HRyu159uJtMnmXS+LPWg_LphA@mail.gmail.com> <CAD9ie-sfrzEMvS8yk49XSNfvwRbcj1tPKfmNxC97VAF4pRqcfg@mail.gmail.com> <C3E1A2E4-AFE0-4C85-8F53-0C1C0154107A@gmail.com> <CAP_qYyktwsB_d0pqhMacM3Ma+wMUdDdKT56EMv6LY2xKndRVQA@mail.gmail.com> <CAD9ie-tEhWrEKeByEFx+Tvfk6_LTwzDfAZy9gq_dib2zfqz7tQ@mail.gmail.com> <D3DF8002-B819-4E60-AF46-71D4F47822AE@pragmaticwebsecurity.com>
In-Reply-To: <D3DF8002-B819-4E60-AF46-71D4F47822AE@pragmaticwebsecurity.com>
Reply-To: Dick.Hardt@gmail.com
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 06 Nov 2023 09:07:28 -0800
Message-ID: <CAD9ie-t_PKaDzcuM-vH1fy1=UEhakV6Mti1VA-kchNUcybwUjg@mail.gmail.com>
To: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
Cc: Giuseppe De Marco <demarcog83@gmail.com>, Daniel Fett <fett=40danielfett.de@dmarc.ietf.org>, Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cd1ff406097ee59a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kQxRgSO-UKHAZQEwU8wNSjmAk-I>
Subject: Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Security Best Current Practice?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 17:08:12 -0000

That's a surprising response Philippe. The BCP already has
Content-Security-Policy and Referrer-Policy headers recommendations. The
core of my feedback is to add Cookie and Header best practices to Section
2, and point to one or more living documents.

On Mon, Nov 6, 2023 at 8:45 AM Philippe De Ryck <
philippe@pragmaticwebsecurity.com> wrote:

> While I understand the idea of pointing to additional security resources,
> I’m not sure if it is the role of the security BCP (or other specs) to take
> on the responsibility to address these issues. In my point of view, the
> security BCP should focus on OAuth aspects, and discuss security topics
> that are directly relevant to that purpose.
>
> Concretely for the security mechanisms discussed here, I can see how
> cookie configurations could be relevant (the session with the AS is
> inherent to OAuth), but I don’t see defenses such as CSP as relevant in
> that scope. If these are in scope, should we then also provide advice or
> pointers on avoiding server-side implementation vulnerabilities, such as
> SQL injection or SSRF?
>
> Additionally, many of these security mechanisms are quite complex and
> non-trivial to deploy. For example, adding a generic pointer stating “you
> should add CSP” does not say much, as CSP can control more than a dozen
> features.
>
> To summarize, I would keep the scope of these specs as narrow as possible
> and avoid aiming to address security concerns that are beyond the realm of
> OAuth.
>
> Philippe
>
> —
> *Pragmatic Web Security*
> *Security for developers*
> https://pragmaticwebsecurity.com
>
> On 6 Nov 2023, at 15:39, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> +1 to referring to calling out that cookies / headers should follow best
> security practice, and pointing to living documents
>
> On Mon, Nov 6, 2023 at 6:21 AM Giuseppe De Marco <demarcog83@gmail.com>
> wrote:
>
>> Hi,
>>
>> everytime I have implemented SAML2, OAuth 2.0, OpenID Connect, for
>> different projects and orgs, I have included secured web cookie in
>> the recipe.
>> For the implementation profile of OpenID4VP I did the same, where the
>> secured and httponly cookie is used an in particular as a basic security
>> requirement for the cross device flow [1].
>>
>> Even if I got perfectly Daniel's and Aaron's editorial strategy and I
>> agree, I think that Dick's proposal and your confirmation on that, Neil, is
>> something to take into account to bring developers awareness during the
>> implementation phases.
>> A ref to living OWASP specs surrounded by a generic refs to the user
>> agent security, even if out of scope, I think that should be in the specs.
>>
>> [1]
>> https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html#remote-protocol-flow
>>
>> Il giorno lun 6 nov 2023 alle ore 15:11 Neil Madden <
>> neil.e.madden@gmail.com> ha scritto:
>>
>>> Although I think we could add some basic advice, the list of security
>>> headers to use is still evolving. For example, there were several headers
>>> added after Spectre to limit cross-site interactions. And then there’s
>>> things like the “X-XSS-Protection” header, which was best practice to add
>>> to responses not too long ago but has now been universally removed from
>>> browsers as it enabled certain content disclosure attacks.
>>>
>>> Cookie security attributes are perhaps a bit more stable, but in general
>>> we probably just want to point people at “living” guidance like OWASP.
>>>
>>> — Neil
>>>
>>> On 5 Nov 2023, at 19:28, Dick Hardt <dick.hardt@gmail.com> wrote:
>>>
>>> The cookie and header recommendations I am thinking of would be for the
>>> AS as well as the client.
>>>
>>> A number of XSS attacks can be thwarted by a modern browser and the
>>> right HTTP headers.
>>>
>>> My question is: Did the authors consider adding cookie and header
>>> recommendations, and decided it was too general?
>>>
>>> Cookie and header best security practices have been around for years --
>>> I'm not suggesting we make anything up -- I'm suggesting we raise
>>> awareness.
>>>
>>> I consider myself to be fairly security aware, and I was not aware of
>>> some of the HTTP headers that are best security practice.
>>>
>>> /Dick
>>>
>>>
>>> On Sun, Nov 5, 2023 at 11:19 AM Aaron Parecki <aaron=
>>> 40parecki.com@dmarc.ietf.org> wrote:
>>>
>>>> I don't think it's necessary to say "do the right things with cookies"
>>>> in the Security BCP. The Browser Apps BCP has a much deeper discussion of
>>>> how different browser-based architectures work with cookies so that seems
>>>> like a better place to actually have a real discussion about it.
>>>>
>>>> Also +1 to what Daniel said about not continuing to add little things.
>>>> Plus I think it's too late anyway, publication has already been requested
>>>> for the Security BCP.
>>>>
>>>> Aaron
>>>>
>>>> On Sun, Nov 5, 2023 at 11:14 AM Daniel Fett <fett=
>>>> 40danielfett.de@dmarc.ietf.org> wrote:
>>>>
>>>>> I agree with Aaron!
>>>>>
>>>>> Also we should be very careful about any additions to the Security BCP
>>>>> at this point. It is very easy to re-start the "one more thing" loop we've
>>>>> been stuck in for the last years. There may be more useful things to say,
>>>>> but we should put them on the list for a future second version of the BCP.
>>>>>
>>>>> -Daniel
>>>>> Am 05.11.23 um 20:03 schrieb Aaron Parecki:
>>>>>
>>>>> I don't think the Security BCP should incorporate cookie best
>>>>> practices directly in the document. If anything, it sounds like possibly a
>>>>> candidate for inclusion in the Browser Apps BCP.
>>>>>
>>>>> There are already some mentions of these cookie properties mentioned
>>>>> in the Browser Apps BCP, though only in reference to specific
>>>>> architectures, not as a general best practice. For example:
>>>>>
>>>>>
>>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html#pattern-bff-cookie-security
>>>>>
>>>>> Aaron
>>>>>
>>>>> On Sun, Nov 5, 2023 at 10:48 AM Dick Hardt <dick.hardt@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hey
>>>>>>
>>>>>> I was reviewing security on some sites I managed and checked to see
>>>>>> if the recommendations were in the BCP.
>>>>>>
>>>>>> I don't see anything around cookies such as httpOnly, sameSite,
>>>>>> secure.
>>>>>>
>>>>>> I saw some HTTP security header suggestions buried in 4.16
>>>>>> (X-Frame-Options, CSP), but not for Strict-Transport-Security,
>>>>>> Permissions-Policy, or X-Content-Type-Options, and the CSP guidance is
>>>>>> rather vague.
>>>>>>
>>>>>> I understand these are general web security best practices, and
>>>>>> perhaps I missed it, but I think it would be useful to call out that best
>>>>>> security practices around cookies and headers should also be followed in
>>>>>> Section 2, and either have the best practices included, or direct the
>>>>>> reader where to find them.
>>>>>>
>>>>>> /Dick
>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.23.0 | Report a Bug | By Email