Re: [OAUTH-WG] DPoP followup I: freshness and coverage of signature
Jim Manico <jim@manicode.com> Mon, 14 December 2020 03:49 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A8F93A0E50 for <oauth@ietfa.amsl.com>; Sun, 13 Dec 2020 19:49:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YC6BMSArrdQc for <oauth@ietfa.amsl.com>; Sun, 13 Dec 2020 19:49:24 -0800 (PST)
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B4873A0E4D for <oauth@ietf.org>; Sun, 13 Dec 2020 19:49:24 -0800 (PST)
Received: by mail-pf1-x430.google.com with SMTP id 11so11212225pfu.4 for <oauth@ietf.org>; Sun, 13 Dec 2020 19:49:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=Sq4XXxEtDJkeCpntsYIFQYtWAz+nV2ZHVzjHrD/C8C8=; b=QSZhW4R/Fj0drJzakjTcirI0IJ/OsXnDVr93F9xk9iGS6EI7bZIHsLHsW+7sYKI62J TG1nyp5cgXk5vQhOYCo1jrRO2BEmfoSKaL94eOku/AJtTM008gsY1uU9uTPoOKt6SnSw L4nKEKbQtcD1SNv6w/kdMbS2GlSkxSVXGMOCOLWVKKuWkkfm15LeSKlfNuSq5NW0/opK f0chkS983Po53LgEoAtynhDy6ic/Sp4qzofhkpR4UB/ZTQKuNY80j7I8xnSSkB8fM/95 zHyXP3jMQlFcMkPLA+6ScqvBEpillZEbMtXyRuo620vyXyJIjqUYaEIr3wIXEwMhIlAw l4hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=Sq4XXxEtDJkeCpntsYIFQYtWAz+nV2ZHVzjHrD/C8C8=; b=JmSmGm/zb8re06z3ryfZmLJxLci6N6MNLRfR/WPpfRPQ8mI+Dg1llHvvI1Ja2i7BjR 2zq/K9MRJrSU+Yy7scSPLzguNYIlKxhlIXaCMz/yRlEO1g6zXgbfwEckQYx7zB53xvAA ra+pylZgwP4tEaLD12FGZp9cFgWac+2CSVFGA8aZBSpNiwq+BjXorTcLfOZJktbmT8no wIgektnRD5+2LdaNZYwOkNIq1OTLBk1lQdYfPuWELXuGyDwRUt81HIb8CBbdpxxka4lP UN94aI5LQzG8MHNQVsDm1vfi/gmOMLxZnsj4OGjqHWbZAYy7KlKz6aM/ogzdei+tUzel EYiw==
X-Gm-Message-State: AOAM530Nv0QvMAXhsffrwW+go9mFKeTtp/Bb4UliLqHUfysKPDR3mYFS IDnwCTUQ52LKJOYGdNmosRH1ODCkkoJt+Q==
X-Google-Smtp-Source: ABdhPJzvtBDZe+Hp9datFvYXYOxAFi9DqPIpC8iJKv0cu3/38MARvC00d85pMPVVMDNM97Pf2E/z6w==
X-Received: by 2002:a62:62c7:0:b029:18b:c7ae:934a with SMTP id w190-20020a6262c70000b029018bc7ae934amr21888786pfb.18.1607917763246; Sun, 13 Dec 2020 19:49:23 -0800 (PST)
Received: from ?IPv6:2603:800c:3340:5d:fc04:18c5:3159:9290? (2603-800c-3340-005d-fc04-18c5-3159-9290.res6.spectrum.com. [2603:800c:3340:5d:fc04:18c5:3159:9290]) by smtp.googlemail.com with ESMTPSA id h24sm17888121pfq.13.2020.12.13.19.49.20 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 13 Dec 2020 19:49:21 -0800 (PST)
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Philippe De Ryck <philippe@pragmaticwebsecurity.com>, oauth <oauth@ietf.org>
References: <CA+k3eCSyMWyLYorWH7KY+XR1syAQUi4tQXdUuevKz4Y6xNMheA@mail.gmail.com> <CALAqi_8zWGAG8p5OnrTB=4q_jL00dJi5oYQrWXmzvqKGhfL28w@mail.gmail.com> <30D5F7BA-EA54-4E40-A2FC-222AA0C9AF8D@lodderstedt.net> <CALAqi_9AH5O6d2W+0UDz83=Csm9BbcU8j6qiRxz5rzLfzm6AQA@mail.gmail.com> <353E4494-2F80-44BC-9267-6FB8B37AA0FE@lodderstedt.net> <CE661132-5D86-4652-B115-E6089E39BC68@pragmaticwebsecurity.com> <1B663AA7-563D-4D25-A408-9ED10FD818AC@forgerock.com> <DE120562-2955-461B-9852-4F0B414B18FA@pragmaticwebsecurity.com> <CA+k3eCTnfYOFmZzu9j5XWbsZUj74f3UG54ZiWtqqyzAqRRj17Q@mail.gmail.com> <EA539A6E-3F9F-4569-95BF-AE3894CE3CA6@pragmaticwebsecurity.com> <CA+k3eCQSbCd0mAu+qFzsm+0runqdLf7GOC27UqR4KoLQGCF44A@mail.gmail.com> <6b389264-96c2-497b-d8f5-204cf430bec1@manicode.com> <CA+k3eCQ7gk_EoaPWOdmFBmWoyjQSpmAp210Ls-wUECnGiWwS-w@mail.gmail.com>
From: Jim Manico <jim@manicode.com>
Message-ID: <7d793da6-28d9-b31a-4b16-07c3396c017f@manicode.com>
Date: Sun, 13 Dec 2020 17:49:18 -1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.5.1
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQ7gk_EoaPWOdmFBmWoyjQSpmAp210Ls-wUECnGiWwS-w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------411BE829BB204DEE07D3DF5C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xcRoNS7pepTSdO8yeB83aIS6Vqw>
Subject: Re: [OAUTH-WG] DPoP followup I: freshness and coverage of signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 03:49:28 -0000
Brian, I just focus on web security and understand the risk of XSS well. It seems to me that many of the designers of OAuth 2 do not have a web security background and keep trying to address XSS with add-ons without success. - Jim On 12/11/20 2:01 PM, Brian Campbell wrote: > I think that puts Jim in the XSS Nihilism camp :) > > Implicit type flows are being deprecated/discouraged. But keeping > tokens out of browsers doesn't seem likely. There is some menton of > CSP in > https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07#section-9.7 > <https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07#section-9.7> > > > On Wed, Dec 9, 2020 at 4:10 PM Jim Manico <jim@manicode.com > <mailto:jim@manicode.com>> wrote: > > The basic theme from the web attacker community is: > > 1) XSS is a game over event to web clients. XSS can steal or abuse > (request forgery) tokens, and more. > > 2) Even if you prevent stolen tokens from being used outside of a > web client, XSS still allows the attacker to force a user to make > any request in a fraudulent way, abusing browser based tokens as a > form of request forgery. > > 3) There are advanced measures to stop a token from being stolen > from a web client, like a HTTPonly cookies and to a lesser degree, > JS Closures and Webworkers. > > 4) However, these measures to protect cookies are mostly moot. > Attackers can just force clients to make fraudulent requests. > > 5) Many recommend the BFF pattern to hide tokens on the back end, > but still, request forgery via XSS allows all kinds of abuse. > > XSS is game over no matter how you slice it. > > Crypto solutions do not help. Perhaps the world of OAuth can start > suggesting that web clients use CSP 3.0 in specific ways, if you > still plan to support Implicit type flows or tokens in browsers? > > Respectfully, > > - Jim > > > On 12/9/20 12:57 PM, Brian Campbell wrote: >> Thanks Philippe, I very much concur with your line of reasoning >> and the important considerations. The scenario I was thinking of >> is: browser based client where XSS is used to exfiltrate the >> refresh token along with pre-computed proofs that would allow for >> the RT to be exchanged for new access tokens and also >> pre-computed proofs that would work with those access tokens for >> resource access. With the pre-computed proofs that would allow >> prolonged (as long as the RT is valid) access to protected >> resources even when the victim is offline. Is that a concrete >> attack scenario? I mean, kind of. It's pretty convoluted/complex. >> And while an access token hash would reign it in somewhat (ATs >> obtained from the stolen RT wouldn't be usable) it's hard to say >> if the cost is worth the benefit. >> >> >> >> On Tue, Dec 8, 2020 at 11:47 PM Philippe De Ryck >> <philippe@pragmaticwebsecurity.com >> <mailto:philippe@pragmaticwebsecurity.com>> wrote: >> >> Yeah, browser-based apps are pure fun, aren’t they? :) >> >> The reason I covered a couple of (pessimistic) XSS scenarios >> is that the discussion started with an assumption that the >> attacker already successfully exploited an XSS vulnerability. >> I pointed out how, at that point, finetuning DPoP proof >> contents will have little to no effect to stop an attack. I >> believe it is important to make this very clear, to avoid >> people turning to DPoP as a security mechanism for >> browser-based applications. >> >> >> Specifically to your question on including the hash in the >> proof, I think these considerations are important: >> >> 1. Does the inclusion of the AT hash stop a concrete attack >> scenario? >> 2. Is the “cost” (implementation, getting it right, …) worth >> the benefits? >> >> >> Here’s my view on these considerations (*/specifically for >> browser-based apps, not for other types of applications/*): >> >> 1. The proof precomputation attack is already quite complex, >> and short access token lifetimes already reduce the window of >> attack. If the attacker can steal a future AT, they could >> also precompute new proofs then. >> 2. For browser-based apps, it seems that doing this >> complicates the implementation, without adding much benefit. >> Of course, libraries could handle this, which significantly >> reduces the cost. >> >> >> Note that these comments are specifically to complicating the >> spec and implementation. DPoP’s capabilities of using >> sender-constrained access tokens are still useful to counter >> various other scenarios (e.g., middleboxes or APIs abusing >> access tokens). If other applications would significantly >> benefit from having the hash in the proof, I’m all for it. >> >> On a final note, I would be happy to help clear up the >> details on web-based threats and defenses if necessary. >> >> — >> *Pragmatic Web Security* >> /Security for developers/ >> https://pragmaticwebsecurity.com/ >> <https://pragmaticwebsecurity.com/> >> >> >>> On 8 Dec 2020, at 22:47, Brian Campbell >>> <bcampbell@pingidentity.com >>> <mailto:bcampbell@pingidentity.com>> wrote: >>> >>> Danial recently added some text to the working copy of the >>> draft with >>> https://github.com/danielfett/draft-dpop/commit/f4b42058 >>> <https://github.com/danielfett/draft-dpop/commit/f4b42058> >>> that I think aims to better convey the "nutshell: XSS = Game >>> over" sentiment and maybe dissuade folks from looking to >>> DPoP as a cure-all for browser based applications. >>> Admittedly a lot of the initial impetus behind producing the >>> draft in the first place was born out of discussions around >>> browser based apps. But it's neither specific to browser >>> based apps nor a panacea for them. I hope the language in >>> the document and how it's recently been presented is >>> reflective of that reality. >>> >>> The more specific discussions/recommendations around >>> in-browser apps are valuable (if somewhat over my head) but >>> might be more appropriate in the OAuth 2.0 for Browser-Based >>> Apps >>> <https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/> >>> draft. >>> >>> With respect to the contents of the DPoP draft, I am still >>> keen to try and flush out some consensus around the question >>> posed in the start of this thread, which is effectively >>> whether or not to include a hash of the access token in the >>> proof. Acknowledging that "XSS = Game over" does sort of >>> evoke a tendency to not even bother with such incremental >>> protections (what I've tried to humorously coin as "XSS >>> Nihilism" with no success). And as such, I do think that >>> leaving it how it is (no AT hash in the proof) is not >>> unreasonable. But, as Filip previously articulated, >>> including the AT hash in the proof would prevent potentially >>> prolonged access to protected resources even when the victim >>> is offline. And that seems maybe worthwhile to have in the >>> protocol, given that it's not a huge change to the spec. But >>> it's a trade-off either way and I'm personally on the fence >>> about it. >>> >>> Including an RT hash in the proof seems more niche. Best I >>> can tell, it would guard against prolonged offline access to >>> protected resources when access tokens are bearer and the RT >>> was DPoP-bound and also gets rotated. The trade-off there >>> seems less worth it (I think an RT hash would be more >>> awkward in the protocol too). >>> >>> >>> >>> >>> >>> >>> >>> On Fri, Dec 4, 2020 at 5:40 AM Philippe De Ryck >>> <philippe@pragmaticwebsecurity.com >>> <mailto:philippe@pragmaticwebsecurity.com>> wrote: >>> >>> >>>> The suggestion to use a web worker to ensure that >>>> proofs cannot be pre-computed is a good one I think. >>>> (You could also use a sandboxed iframe for a separate >>>> sub/sibling-domain - dpop.example.com >>>> <http://dpop.example.com/>). >>> >>> An iframe with a different origin would also work (not >>> really sandboxing, as that implies the use of the >>> sandbox attribute to enforce behavioral restrictions). >>> The downside of an iframe is the need to host additional >>> HTML, vs a script file for the worker, but the effect is >>> indeed the same. >>> >>>> For scenario 4, I think this only works if the attacker >>>> can trick/spoof the AS into using their redirect_uri? >>>> Otherwise the AC will go to the legitimate app which >>>> will reject it due to mismatched state/PKCE. Or are you >>>> thinking of XSS on the redirect_uri itself? I think >>>> probably a good practice is that the target of a >>>> redirect_uri should be a very minimal and locked down >>>> page to avoid this kind of possibility. (Again, using a >>>> separate sub-domain to handle tokens and DPoP seems >>>> like a good idea). >>> >>> My original thought was to use a silent flow with Web >>> Messaging. The scenario would go as follows: >>> >>> 1. Setup a Web Messaging listener to receive the >>> incoming code >>> 2. Create a hidden iframe with the DOM APIs >>> 3. Create an authorization request such as >>> “//authorize?response_type=code&client_id=...&redirect_uri=https%3A%2F%example.com >>> <http://example.com/>&state=...&code_challenge=7-ffnU1EzHtMfxOAdlkp_WixnAM_z9tMh3JxgjazXAk&code_challenge_method=S256&prompt=none&response_mode=web_message/” >>> 4. Load this URL in the iframe, and wait for the result >>> 5. Retrieve code in the listener, and use PKCE (+ DPoP >>> if needed) to exchange it for tokens >>> >>> This puts the attacker in full control over every aspect >>> of the flow, so no need to manipulate any of the parameters. >>> >>> >>> After your comment, I also believe an attacker can run >>> the same scenario without the >>> “/response_mode=web_message/”. This would go as follows: >>> >>> 1. Create a hidden iframe with the DOM APIs >>> 2. Setup polling to read the URL (this will be possible >>> for same-origin pages, not for cross-origin pages) >>> 3. Create an authorization request such as >>> “//authorize?response_type=code&client_id=...&redirect_uri=https%3A%2F%example.com >>> <http://example.com/>&state=...&code_challenge=7-ffnU1EzHtMfxOAdlkp_WixnAM_z9tMh3JxgjazXAk&code_challenge_method=S256/” >>> 4. Load this URL in the iframe, and keep polling >>> 5. Detect the redirect back to the application with the >>> code in the URL, retrieve code, and use PKCE (+ DPoP if >>> needed) to exchange it for tokens >>> >>> In step 5, the application is likely to also try to >>> exchange the code. This will fail due to a mismatching >>> PKCE verifier. While noisy, I don’t think it affects the >>> scenario. >>> >>> >>>> IMO, the online attack scenario (i.e., proxying >>>> malicious requests through the victim’s browser) is >>>> quite appealing to an attacker, despite the apparent >>>> inconvenience: >>>> >>>> - the victim’s browser may be inside a corporate >>>> firewall or VPN, allowing the attacker to effectively >>>> bypass these restrictions >>>> - the attacker’s traffic is mixed in with the user’s >>>> own requests, making them harder to distinguish or to block >>>> >>>> Overall, DPoP can only protect against XSS to the same >>>> level as HttpOnly cookies. This is not nothing, but it >>>> means it only prevents relatively naive attacks. Given >>>> the association of public key signatures with strong >>>> authentication, people may have overinflated >>>> expectations if DPoP is pitched as an XSS defence. >>> >>> Yes, in the cookie world this is known as “Session >>> Riding”. Having the worker for token isolation would >>> make it possible to enforce a coarse-grained policy on >>> outgoing requests to prevent total abuse of the AT. >>> >>> My main concern here is the effort of doing DPoP in a >>> browser versus the limited gains. It may also give a >>> false sense of security. >>> >>> >>> >>> With all this said, I believe that the AS can lock down >>> its configuration to reduce these attack vectors. A few >>> initial ideas: >>> >>> 1. Disable silent flows for SPAs using RT rotation >>> 2. Use the sec-fetch headers to detect and reject >>> non-silent iframe-based flows >>> >>> For example, an OAuth 2.0 flow in an iframe in >>> Brave/Chrome carries these headers: >>> / >>> sec-fetch-dest: iframe >>> sec-fetch-mode: navigate >>> sec-fetch-site: cross-site >>> sec-fetch-user: ?1 >>> / >>> >>> >>> Philippe >>> >>> >>> /CONFIDENTIALITY NOTICE: This email may contain confidential >>> and privileged material for the sole use of the intended >>> recipient(s). Any review, use, distribution or disclosure by >>> others is strictly prohibited. If you have received this >>> communication in error, please notify the sender immediately >>> by e-mail and delete the message and any file attachments >>> from your computer. Thank you./ >> >> >> /CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended >> recipient(s). Any review, use, distribution or disclosure by >> others is strictly prohibited. If you have received this >> communication in error, please notify the sender immediately by >> e-mail and delete the message and any file attachments from your >> computer. Thank you./ >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > -- > Jim Manico > Manicode Security > https://www.manicode.com <https://www.manicode.com> > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./ -- Jim Manico Manicode Security https://www.manicode.com
- [OAUTH-WG] DPoP followup I: freshness and coverag… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Filip Skokan
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Torsten Lodderstedt
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Filip Skokan
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Torsten Lodderstedt
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Philippe De Ryck
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Neil Madden
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Philippe De Ryck
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Philippe De Ryck
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Vladimir Dzhuvinov
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Jim Manico
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Philippe De Ryck
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Neil Madden
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Vladimir Dzhuvinov
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Torsten Lodderstedt
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Neil Madden
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Torsten Lodderstedt
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Neil Madden
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Jim Manico
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Justin Richer
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Vladimir Dzhuvinov
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Filip Skokan