IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

John Kemp <john@jkemp.net> Tue, 06 September 2011 20:14 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C18521F8E7A for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 13:14:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.161
X-Spam-Level:
X-Spam-Status: No, score=-0.161 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7AJpEgo0PlaE for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 13:14:18 -0700 (PDT)
Received: from oproxy8-pub.bluehost.com (oproxy8.bluehost.com [IPv6:2605:dc00:100:2::a8]) by ietfa.amsl.com (Postfix) with SMTP id AFE0821F8E4C for <oauth@ietf.org>; Tue, 6 Sep 2011 13:14:18 -0700 (PDT)
Received: (qmail 562 invoked by uid 0); 6 Sep 2011 20:16:05 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by oproxy8.bluehost.com with SMTP; 6 Sep 2011 20:16:05 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=jkemp.net; s=default; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Content-Type:Mime-Version:Subject; bh=S/KBAchkNf1NyLZEouD2upig7GQBqd206GjxgHtE5+E=; b=kDFYqEKDYc/EPw9XKyLQWYLlusebjtGMwx9WiFhqTIobLrjRiElTM+ZQJyEw4sI5KY8yl5d/8v37mTmzbdcll36PMduK0U2AKOZ6mNmxW1ax8Eg+6Y/hrIS5f9MOdSa2;
Received: from cpe-74-67-30-101.nycap.res.rr.com ([74.67.30.101] helo=[192.168.1.110]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from <john@jkemp.net>) id 1R123x-0001gr-Dn; Tue, 06 Sep 2011 14:16:05 -0600
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset="iso-8859-1"
From: John Kemp <john@jkemp.net>
In-Reply-To: <4E667E2E.7090304@mtcc.com>
Date: Tue, 06 Sep 2011 16:16:26 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net>
References: <4E665B25.6090709@mtcc.com> <4E6661FA.7050804@alcatel-lucent.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com>
To: Michael Thomas <mike@mtcc.com>
X-Mailer: Apple Mail (2.1244.3)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 74.67.30.101 authed with john+jkemp.net}
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2011 20:14:19 -0000

On Sep 6, 2011, at 4:10 PM, Michael Thomas wrote:

> John Kemp wrote:
>> On Sep 6, 2011, at 3:49 PM, Michael Thomas wrote:
>>> Except in the desktop web world, I choose from a *tiny* set of browsers:
>>> chrome, firefox, opera, and, uh, ie. To a lesser or greater extent, I don't
>>> expect that the browsers themselves are malicious. Which is a pretty ok
>>> assumption.
>> It is? I would certainly question it. The WebKit WebView is embeddable in the C/C++ programming languages and APIs are available for that on most platforms - all are open to the same attacks you mention. How about the plugins you get for your browser from various places - they could have key loggers too. It's also possible for an app delivered from a server to present a login form that looks like it is from Twitter, but is actually from an attacker site. Such attacks are very common indeed, and don't require a key logger. They do require the user to "trust" the app though, just as the user would need to trust the key logger he installed.
> 
> I didn't say they weren't embeddable elsewhere. I just gave my example. And if I don't
> use plugins, the browser is relatively trustable, especially in comparison to standalone
> apps -- on desktop *or* phone, etc.

Again, I disagree. As a user, I should pay attention to the sites I visit - as much as I should pay attention to the apps I download.

> 
> 
>>> With embedded web views, that assumption goes out the window. There are
>>> 100's of thousands of apps, all of which can use webviews. I have no way
>>> to know if a given app is evil or not, and *lots* of apps provide facebook
>>> and twitter integration. Not because they're evil, but because that's what's
>>> expected by users. So the use model of oauth in this case is *very* different
>>> than the desktop use case.
>> I disagree. If anything, because desktop machines tend to be less 'locked-down' than mobile platforms (app stores for desktops followed app stores for mobile platforms), they are more widely open to abuse.
> 
> I can tell you from experience that Android absolutely doesn't check anything of this
> sort, and it would take extremely deep voodoo for Apple to do the same: they never see
> source.

I believe that both Apple and Google *do attempt* to prevent malware from getting into their stores. 
 
> 
> So the reality is that neither are trustable.

This I agree with ;)

> 
>>> But I'm being told that use cases aren't the problem of oauth. I'd say that
>>> there has all along been a hidden assumption that the browser was
>>> a trusted entity.
>> The point is simply that if you can subvert the actual platform, then OAuth problems are the least of your worries (as a user).
> 
> People keep saying that to deflect criticism, but I don't buy it. Other protocols aren't
> availing an attacker to user credentials to third party servers by simply snooping on the
> webview key traffic in an otherwise completely normal use pattern.

HTTP Auth? Web form login? 

> 
> Have you ever signed on to facebook in an app before?

Frankly, not too often, no, since these apps usually ask for far more authority than I believe is necessary for the purpose of using the app.

- John

> 
> Mike
> 
>> - John
>>> Since it isn't always, it should be very explicit in the
>>> protocol, threats, and security considerations of what could happen if it's
>>> not.
>>> 
>>> Mike, frankly this is why apps do suck but i'm not king of the world
>>> 
>>>> -- Justin
>>>> On Tue, 2011-09-06 at 15:28 -0400, Michael Thomas wrote:
>>>>> Melinda Shore wrote:
>>>>>> On 09/06/2011 11:11 AM, Jill Burrows wrote:
>>>>>>> I repeat, it is not an OAuth problem.
>>>>>> If I'm reading Mike correctly (and if I'm not it won't be the
>>>>>> first time I've misunderstood him), he's not really asking for
>>>>>> OAUTH to solve this particular problem but to clarify the
>>>>>> documents and beef up discussions of what is and is not in
>>>>>> scope.  He read the document and couldn't figure out whether
>>>>>> or not this particular problem is the business of the working
>>>>>> group.
>>>>> I'm fairly certain that if somebody were deploying oauth for their servers
>>>>> that unless the document told me that oauth doesn't provide protection
>>>>> against third party snooping if it's embedded in any app, most people wouldn't
>>>>> have a clue that that was a dangerous assumption.
>>>>> 
>>>>> What this says is that oauth only works in one use case, and that only the
>>>>> user can tell the difference. Given the proliferation of phone apps and
>>>>> embedded webviews, it seems that the original assumptions of oauth are
>>>>> no longer up to date.
>>>>> 
>>>>> Mike
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email