IETF Logo Mail Archive

Re: [OAUTH-WG] URGENT: WPAD attack exposes URL contents even overHTTPS

Justin Richer <jricher@mit.edu> Thu, 28 July 2016 20:23 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 587E312D0F0 for <oauth@ietfa.amsl.com>; Thu, 28 Jul 2016 13:23:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Level:
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Ui3tnTYqQ-n for <oauth@ietfa.amsl.com>; Thu, 28 Jul 2016 13:23:53 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73BC312E0AD for <oauth@ietf.org>; Thu, 28 Jul 2016 13:23:53 -0700 (PDT)
X-AuditID: 1209190f-e0bff700000043b5-51-579a69d741b6
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id E1.46.17333.7D96A975; Thu, 28 Jul 2016 16:23:52 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u6SKNoHp021330; Thu, 28 Jul 2016 16:23:51 -0400
Received: from [10.36.16.144] ([38.90.135.101]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u6SKNm5E028151 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 28 Jul 2016 16:23:50 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_1D82FEE9-ACB9-4F15-8FD4-8414F7435BD4"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CA+k3eCQ=K5aABZscVWtNB87AECR3=mz1YPbsj+D=T6TVrBExaQ@mail.gmail.com>
Date: Thu, 28 Jul 2016 16:23:48 -0400
Message-Id: <92B0F263-A9E8-4F3A-B61F-23549DD1AAD8@mit.edu>
References: <CAD9ie-uStPcN=6CYf-Hg-=+DP2-Sx=NLtfBB0CZX8eGWwtY93Q@mail.gmail.com> <57980887.1724c80a.e1de7.c7a7@mx.google.com> <57980a47.e928c80a.c54fd.c891@mx.google.com> <CAAP42hCC_D_-bN2o8HgPOoeiuCQ6Y1ZrOi2yY6wHVmmeFhZrbg@mail.gmail.com> <f95fh49huuwxa7mq4a206ygk.1469601942547@com.syntomo.email> <CAE7S+HagTi0ZCbNbaBLtgkNiedmdDgm8x_U+KmNZHiqjwPjPMA@mail.gmail.com> <CA+k3eCQ=K5aABZscVWtNB87AECR3=mz1YPbsj+D=T6TVrBExaQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEKsWRmVeSWpSXmKPExsUixCmqrXsjc1a4wY65zBar/99ktHiz8iOb xcm3r9gcmD12zrrL7rFkyU8mj7tHL7IEMEdx2aSk5mSWpRbp2yVwZazpXMxSsOEaY8W7XY/Z GhhP7WTsYuTkkBAwkbh6+StLFyMXh5BAG5PEzueTGSGcjYwS16etgXLWMEm8mruJCaSFWSBB YvLmPjYQm1dAT2LT+rdgcWEBf4mFFw6yg9hsAqoS09e0gMU5BQIl2qbfB4uzAMX3XVjLCDHH TeJw131WiDlWEjNmnGSCWLaFWWL960tgRSIC+hK3n85hh7hVVuLJyUUsExj5ZyG5YxaSOyDi 2hLLFr5mhrA1JfZ3L2fBFNeQ6Pw2kXUBI9sqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXRO93MwS vdSU0k2M4KCX5N/BOKfB+xCjAAejEg/vDOlZ4UKsiWXFlbmHGCU5mJREecNCZ4YL8SXlp1Rm JBZnxBeV5qQWH2KU4GBWEuH9kQBUzpuSWFmVWpQPk5LmYFES593+rT1cSCA9sSQ1OzW1ILUI JivDwaEkwfspA6hRsCg1PbUiLTOnBCHNxMEJMpwHaPhLkBre4oLE3OLMdIj8KUZFKXHeeJCE AEgiozQPrheUlNSi2lNfMYoDvSLMuw+kigeY0OC6XwENZgIaXBw7A2RwSSJCSqqBccupKsXD dz20Jx371TVtj8/1JN2XLa/nf7kqGrEg4UW6z+M3zCnn1P82hDlyXjuj99Wy2JUp/s/RFc4X cpNO699d4LIvrUumW1b6WfNfoM8fHXukXfyofy/nu+vKut+d1fWtY5awXvE733ryZ1xV064r CSUtH50OuFwsn/R7EpvpxM4tfWmMSizFGYmGWsxFxYkARR0WFCUDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ppILuL9BlEnBy_lL8LfZBKYgeTI>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] URGENT: WPAD attack exposes URL contents even overHTTPS
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2016 20:23:55 -0000

I’ve been thinking that we could, in some eventual rewrite of OAuth and its kin, collapse the “state”, “nonce”, and “code_challenge” values all into a single thing. They’re all serving similar purposes but being used differently. There was even talk of replaying the “state” value at the token endpoint, just like we do with PKCE “plain”. So why not just use them all together? Like so:


Client creates a value, we’ll call it the “request_tag” because I want something that doesn’t sound like any of the existing values on its own and I don’t care what it’s actually called in the long run. Client stores this for later use.

Client sends a request to the AS front channel and hashes the request_tag in that request, let’s call this “request_hash”. Client also sends a kind of “request_hash_method” to tell the AS how it hashed things. [This functions just like the code_challenge_method today.]

AS returns to the client front channel and includes the request_hash. [This functions just like state today.] The client can verify this hash using its stored tag.

	- If AS is doing implicit OIDC, it adds the request_hash to the ID Token here. [This functions just like nonce today.] The client can verify this hash using its stored tag.

If the client is doing code flow, it now talks to the token endpoint and includes the request_tag in its request. [This functions just like code_verifier and the proposed include-the-state-in-token-request mitigation.] The AS can verify this tag against its stored hash.

	- If the AS is doing code OIDC, it adds the request_hash to the ID token value here. [This functions just like nonce today.] The client can verify this hash using its stored tag.

The token response can include the request_hash in its response JSON, because why not.


Yes I realize this requires redoing a lot of plumbing, but if we get to this point with the protocol I think this would be simpler than the functional patchwork we’ve got going right now.

 — Justin


> On Jul 27, 2016, at 8:21 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> Yeah, in a Connect "code" only flow, the nonce is optional but if the client/RP sends and checks it, that should mitigate this. 
> 
> On Wed, Jul 27, 2016 at 1:19 AM, nov matake <matake@gmail.com <mailto:matake@gmail.com>> wrote:
> In Connect, if RP verifies nonce value in ID Token issued from Token Endpoint, code cut & paste attack can be mitigated in "code" flow, not in "code id_token", can't it?
> 
> In pure OAuth2 senario, I also think PKCE would be the simplest solution.
> 
> 2016-07-27 15:45 GMT+09:00 torsten@lodderstedt.net <mailto:torsten@lodderstedt.net> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>>:
> +1
> 
> I also think PKCE is currently the simplest way to protect OAuth clients from injection.
> 
> Sent by MailWise <http://www.mail-wise.com/installation/2> – See your emails as clean, short chats.
> 
> 
> 
> -------- Originalnachricht --------
> Betreff: Re: [OAUTH-WG] URGENT: WPAD attack exposes URL contents even	overHTTPS
> Von: William Denniss <wdenniss@google.com <mailto:wdenniss@google.com>>
> An: John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>
> Cc: Oauth Wrap Wg <oauth@ietf.org <mailto:oauth@ietf.org>>
> 
> 
> PKCE S256 was indeed designed to protect against eavesdropping of both the authorization request & response.  It was originally created for native apps where URL leakage was deemed more likely (since it goes over inter-process communication channels), perhaps the practice should be expanded to all clients.
> 
> On Tue, Jul 26, 2016 at 6:11 PM, <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
> PS   Using PKCE S256 would prevent this attack on web server clients, as long as the client uses a different PKCE vale for each request.    Even if the attacker can observe both the request and response, they would not have the code_verifyer and if replaying the code to the client the client will use the wrong verifier value to exchange the code and will get an error.
> 
>  
> 
> That is probably the simplest mitigation against this for the code flow on web servers and native apps.
> 
>  
> 
> I will think about it overnight.
> 
>  
> 
> John B.
> 
>  
> 
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
> 
>  
> 
> From: ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>
> Sent: July 26, 2016 9:04 PM
> To: Dick Hardt <mailto:dick.hardt@gmail.com>; Oauth Wrap Wg <mailto:oauth@ietf.org>
> Subject: RE: [OAUTH-WG] URGENT: WPAD attack exposes URL contents even overHTTPS
> 
>  
> 
> I need to think about it a bit,  however off the top of my head based on the attack described the code flow should still be safe if the code is truly single use.   (Some implementations fudge that)
> 
>  
> 
> If the attacker can stop the browser from delivering the code to the client then the client would be susceptible to the cut and paste attack for injecting the code back into the client. 
> 
>  
> 
> The OpenID Connect “code id_token” flow is not vulnerable to this if the client is properly validating the id_token.
> 
>  
> 
> I suspect that this would work against the implicit flow if the JS is sending the code back to its web server via a GET. 
> 
> That I think we recommend against doing, or should.
> 
>  
> 
> The Token binding proposals would stop a leaked code from being used, but not from being stolen in this attack.
> 
>  
> 
> The attack against a confidential client would be the cut and paste one that we have identified.  Currently the only mitigation we have is “code id_token”  so the blog post at.
> 
> http://openid.net/2016/07/16/preventing-mix-up-attacks-with-openid-connect/ <http://openid.net/2016/07/16/preventing-mix-up-attacks-with-openid-connect/>
>  
> 
> I the most relevant current advice.
> 
> The thing to add is that the code leaked in this way should not be repayable at the client
> 
>  
> 
> I don’t think that native apps are vulnerable to this if they are using custom scheme redirects. 
> 
>  
> 
> I don’t know what the risk is if they are using loopback or claimed URI.  It may be that a browser might leak them in the same way.
> 
> That would need to be tested.
> 
>  
> 
> John B.
> 
>  
> 
>  
> 
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
> 
>  
> 
> From: Dick Hardt <mailto:dick.hardt@gmail.com>
> Sent: July 26, 2016 8:15 PM
> To: Oauth Wrap Wg <mailto:oauth@ietf.org>
> Subject: [OAUTH-WG] URGENT: WPAD attack exposes URL contents even over HTTPS
> 
>  
> 
> http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/ <http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/>
>  
> 
> Access tokens included as a URL query parameter when accessing a resource are susceptible to this attack.
> 
>  
> 
> Authorization codes are also visible. From what I know, we have not depended on the confidentiality of the authorization code. 
> 
>  
> 
> What are the best current practices that we can point people towards to ensure they are not susceptible to this attack?
> 
>  
> 
> -- Dick 
> 
> Subscribe to the HARDTWARE <http://hardtware.com/> mail list to learn about projects I am working on!
> 
>  
> 
>  
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> 
> 
> -- 
> nov matake
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email