IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

John Kemp <john@jkemp.net> Tue, 06 September 2011 19:56 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 928A921F8D73 for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 12:56:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.161
X-Spam-Level:
X-Spam-Status: No, score=-0.161 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ANAuqVBnAEgz for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 12:56:20 -0700 (PDT)
Received: from oproxy1-pub.bluehost.com (oproxy1.bluehost.com [IPv6:2605:dc00:100:2::a1]) by ietfa.amsl.com (Postfix) with SMTP id D2B8221F8D67 for <oauth@ietf.org>; Tue, 6 Sep 2011 12:56:20 -0700 (PDT)
Received: (qmail 8800 invoked by uid 0); 6 Sep 2011 19:58:08 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by oproxy1.bluehost.com with SMTP; 6 Sep 2011 19:58:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=jkemp.net; s=default; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Content-Type:Mime-Version:Subject; bh=PZRTcimX7B/SsJFepP3alXFHK1W4jNpVLO5W5t3IAsE=; b=DnFm5pV3NE8d+puMlgSkWM8RDwPY82IyxRaD3s01J+Al6ZJ9O/6UDcRM+wtKxoLJdPY1QtFAjlFNmkXUGvfvJrjhSEfSi2iXCD4PITmy6f4ki5FiNf1uPZn6ifgMwZzA;
Received: from cpe-74-67-30-101.nycap.res.rr.com ([74.67.30.101] helo=[192.168.1.110]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from <john@jkemp.net>) id 1R11mZ-0000yQ-T0; Tue, 06 Sep 2011 13:58:08 -0600
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <4E667953.9020906@mtcc.com>
Date: Tue, 06 Sep 2011 15:58:28 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net>
References: <4E665B25.6090709@mtcc.com> <4E6661FA.7050804@alcatel-lucent.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com>
To: Michael Thomas <mike@mtcc.com>
X-Mailer: Apple Mail (2.1244.3)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 74.67.30.101 authed with john+jkemp.net}
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2011 19:56:21 -0000

On Sep 6, 2011, at 3:49 PM, Michael Thomas wrote:
> 
> Except in the desktop web world, I choose from a *tiny* set of browsers:
> chrome, firefox, opera, and, uh, ie. To a lesser or greater extent, I don't
> expect that the browsers themselves are malicious. Which is a pretty ok
> assumption.

It is? I would certainly question it. The WebKit WebView is embeddable in the C/C++ programming languages and APIs are available for that on most platforms - all are open to the same attacks you mention. How about the plugins you get for your browser from various places - they could have key loggers too. It's also possible for an app delivered from a server to present a login form that looks like it is from Twitter, but is actually from an attacker site. Such attacks are very common indeed, and don't require a key logger. They do require the user to "trust" the app though, just as the user would need to trust the key logger he installed.

> 
> With embedded web views, that assumption goes out the window. There are
> 100's of thousands of apps, all of which can use webviews. I have no way
> to know if a given app is evil or not, and *lots* of apps provide facebook
> and twitter integration. Not because they're evil, but because that's what's
> expected by users. So the use model of oauth in this case is *very* different
> than the desktop use case.

I disagree. If anything, because desktop machines tend to be less 'locked-down' than mobile platforms (app stores for desktops followed app stores for mobile platforms), they are more widely open to abuse.

> 
> But I'm being told that use cases aren't the problem of oauth. I'd say that
> there has all along been a hidden assumption that the browser was
> a trusted entity.

The point is simply that if you can subvert the actual platform, then OAuth problems are the least of your worries (as a user).

- John

> Since it isn't always, it should be very explicit in the
> protocol, threats, and security considerations of what could happen if it's
> not.
> 
> Mike, frankly this is why apps do suck but i'm not king of the world
> 
>> -- Justin
>> On Tue, 2011-09-06 at 15:28 -0400, Michael Thomas wrote:
>>> Melinda Shore wrote:
>>>> On 09/06/2011 11:11 AM, Jill Burrows wrote:
>>>>> I repeat, it is not an OAuth problem.
>>>> If I'm reading Mike correctly (and if I'm not it won't be the
>>>> first time I've misunderstood him), he's not really asking for
>>>> OAUTH to solve this particular problem but to clarify the
>>>> documents and beef up discussions of what is and is not in
>>>> scope.  He read the document and couldn't figure out whether
>>>> or not this particular problem is the business of the working
>>>> group.
>>> I'm fairly certain that if somebody were deploying oauth for their servers
>>> that unless the document told me that oauth doesn't provide protection
>>> against third party snooping if it's embedded in any app, most people wouldn't
>>> have a clue that that was a dangerous assumption.
>>> 
>>> What this says is that oauth only works in one use case, and that only the
>>> user can tell the difference. Given the proliferation of phone apps and
>>> embedded webviews, it seems that the original assumptions of oauth are
>>> no longer up to date.
>>> 
>>> Mike
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email