IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Mark Mcgloin <mark.mcgloin@ie.ibm.com> Thu, 05 January 2012 14:03 UTC

Return-Path: <mark.mcgloin@ie.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04AF821F882B for <oauth@ietfa.amsl.com>; Thu, 5 Jan 2012 06:03:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.592
X-Spam-Level:
X-Spam-Status: No, score=-2.592 tagged_above=-999 required=5 tests=[AWL=0.007, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p+zhbg+f7wpi for <oauth@ietfa.amsl.com>; Thu, 5 Jan 2012 06:03:52 -0800 (PST)
Received: from e06smtp10.uk.ibm.com (e06smtp10.uk.ibm.com [195.75.94.106]) by ietfa.amsl.com (Postfix) with ESMTP id 69A2B21F8684 for <oauth@ietf.org>; Thu, 5 Jan 2012 06:03:51 -0800 (PST)
Received: from /spool/local by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <mark.mcgloin@ie.ibm.com>; Thu, 5 Jan 2012 14:03:50 -0000
Received: from d06nrmr1707.portsmouth.uk.ibm.com ([9.149.39.225]) by e06smtp10.uk.ibm.com ([192.168.101.140]) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 5 Jan 2012 14:03:48 -0000
Received: from d06av06.portsmouth.uk.ibm.com (d06av06.portsmouth.uk.ibm.com [9.149.37.217]) by d06nrmr1707.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q05E3lna1777674; Thu, 5 Jan 2012 14:03:47 GMT
Received: from d06av06.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av06.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q05E3bLw013071; Thu, 5 Jan 2012 07:03:38 -0700
Received: from d06ml091.portsmouth.uk.ibm.com (d06ml091.portsmouth.uk.ibm.com [9.149.104.170]) by d06av06.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q05E3bKu013063; Thu, 5 Jan 2012 07:03:37 -0700
In-Reply-To: <1325721020.62165.YahooMailNeo@web31812.mail.mud.yahoo.com>
References: <CALaySJKhYQQdmjvWBLS3mwzzrDt35jfDn2xZCuDOk=hpwEUiKQ@mail.gmail.com> <CAC4RtVCvnz7n9Ei08h7QRruesJ=GeOMOOvBkNAVmcc8_gzg7QQ@mail.gmail.com> <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com> <OF6C9EBE7C.1B053FE3-ON80257968.003C02DF-80257968.003CAA12@ie.ibm.com> <4EEB5BDD.7080401@mtcc.com> <4F038CB9.1040403@mtcc.com> <F674B8D6-54D6-4B39-A494-9D7EB6E058D6@oracle.com> <4F0394D6.1090006@mtcc.com> <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com> <4F04AAAE.6080702@mtcc.com> <4F04ACE4.1070006@stpeter.im> <4F04B101.3070708@mtcc.com> <OF0587BA9E.B7B40207-ON8025797B.00702BFB-8025797B.007103EA@ie.ibm.com> <CALaySJLcFGyt97OVFZY34kZSjp2bKRqiH_JSDQQaO-aTjSWh2g@mail.gmail.com> <4F04BF70.3 <1325721020.62165.YahooMailNeo@web31812.mail.mud.yahoo.com>
X-KeepSent: AD11189B:B32C550F-8025797C:004BC346; type=4; name=$KeepSent
To: William Mills <wmills@yahoo-inc.com>
X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010
Message-ID: <OFAD11189B.B32C550F-ON8025797C.004BC346-8025797C.004D3FB9@ie.ibm.com>
From: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Thu, 05 Jan 2012 14:03:41 +0000
X-MIMETrack: Serialize by Router on D06ML091/06/M/IBM(Release 8.5.2FP1 ZX852FP1HF12|September 28, 2011) at 05/01/2012 14:03:40
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
x-cbid: 12010514-4966-0000-0000-000001107CA9
Cc: oauth-bounces@ietf.org, Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 14:03:53 -0000

Why do you think this William? Apple does it? Google android market had to
pull 30 apps recently because they contained malware. There are automated
tools that will do some sanity checks on apps and it is only advice, i.e.
'could'

Mark

> William Mills <wmills@yahoo-inc.com>
>
>   "  o  Client applications could be validated prior publication in a
>       application market."
>
> Should just be struck.  Michael is correct that it's fluff, and
> unenforceable.  There are too many app marketplaces, opensource
> projects, etc. to make this a useful suggestion.
>
> From: Michael Thomas <mike@mtcc.com>
> To: Torsten Lodderstedt <torsten@lodderstedt.net>
> Cc: Barry Leiba <barryleiba@computer.org>; oauth WG <oauth@ietf.org>
> Sent: Wednesday, January 4, 2012 3:40 PM
> Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01,
> ends 9 Dec 2011
>
> On 01/04/2012 02:14 PM, Torsten Lodderstedt wrote:
> > Hi Michael,
> >
> > Am 04.01.2012 22:06, schrieb Michael Thomas:
> >> I think the "perhaps unwisely" goes to the heart of my objection. You
> >> might as well be talking about "perhaps unwisely" driving a car,
> >> or "perhaps unwisely" eating food: the reality is that people download
> >> apps by the *billions*.  When I was initially blown off, many of the
> >> participants including document editors implied that only idiots get
> >> apps for their phones. That is *completely* unhelpful as the reality
> >> is that OAUTH's use is hugely if not primarily deployed in that sort
of
> >> environment.
> >
> > I fully agree with you. That's why the core spec and the threat
> document both consider native apps.
> >
> >>
> >> This is a threat that cuts to the very heart of what OAUTH is, and
purports
> >> to defend against: keeping user credentials out of the hands of an
> >> untrusted third party. If there really aren't any good ways to
> mitigate this
> >> in an app environment, why is OAUTH being deployed so aggressively
there?
> >> Shouldn't the threat draft say in blinking bold: "DEPLOYING OAUTH
> >> IN NATIVE APPS CONSIDERED HARMFUL"?
> >
> > You lost me. Is the situation getting any worse with OAuth? I
> don't think so. I think the situation is getting better, probably
> not as you might expect.
>
> My concern is that putting on a veneer of "security" will lull people
into
> thinking "Oh, it's safe to enter my credentials here because this is
really
> twitterbook, not evilapp!". When I had to ask them directly to put their
> twitterbook credentials into my app, there at least wasn't any confusion
> that I had access to them.
>
> Realistically, what you've done is protected the credentials from the
good
> guys and not changed much for a motivated bad guy. Is that an
improvement?
> I'll buy that it's generally bad practice for good guys with most likely
bad
> security chops to  be storing credentials, but I'm guessing that the
original
> OAUTH motivation was more toward thwarting bad guys.
>
> >
> > The key question is: Why do we aim on "keeping user credentials
> out of the hands of an untrusted third party"?
> >
> > 1) To prevent phishing or 2) to prevent leakage of end-user
> credentials due to inappropriate handling or weak defence on the 3rd
party?
> >
> > wrt 1) I don't think so. I don't see how an authorization server
> shall validate the authenticity and trustworthiness of a client-side
> application. We already state this in section 4.4.1.4. of the
threatdocument.
>
> The draft says:
>
>   o  Client applications could be validated prior publication in a
>       application market.
>
> I asked -- and didn't get a response -- about how exactly that might
> be done. I suspect
> that in practice for the twitterbook universe that there is no way
> that scales. So the
> reality here seems to be there isn't an answer for the Internet at
> large, and the threats
> document should just say that mitigation MAY be possible in very
> narrow use cases where
> code reviews, and other heavy handed analysis can be performed, but
> for the general case
> there is no mitigation.
>
> As far as 4.4.1.4 goes, I'd say that the counter measures really
> don't help except
> maybe for auditing. If that's what they're really about, the draft
> should make that
> explicit.
>
> Also on the subject of 4.4.1.4, this bullet:
>
>
> o  If the authorization server automatically authenticates the end-
>       user, it may nevertheless require some user input in order to
>       prevent screen scraping.  Examples are CAPTCHAs or user-specific
>       secret like PIN codes.
>
>
> I'm very skeptical because a native environment is a social
> engineering nirvana.
> The CAPTCHA could easily be shown to the user and they'd blissfully
> solve it just
> like they do any other one.
>
>
>
>
> >
> > -----------------------
> > It is not the task of the authorization server to protect
> >    the end-user's device from malicious software.  This is the
> >    responsibility of the platform running on the particular device
> >    probably in cooperation with other components of the respective
> >    ecosystem (e.g. an application management infrastructure).  The sole
> >    responsibility of the authorization server is to control access to
> >    the end-user's resources living in resource servers and to prevent
> >    unauthorized access to them.
> > -----------------------
>
> I assume that it's in the authorization server's _interest_ to not
divulge
> user credentials to potentially evil third parties. If it's not, whywould
you
> go to the trouble of implementing OAUTH at all?
>
> This is what's so troubling to me. The point is to keep user credentials
away
> from bad guys, but when shown how OAUTH in widely deployed scenarios
fails
> to do that, the response I get from the working group is "Not Our
Problem".
> Well it *is* your problem insofar as you are not advising the
twitterbooks to
> disallow native apps as clients, for example.
>
> >
> > wrt 2) Yes, I think that's the reason. And OAuth is a appropriate
> protocol to achieve this goal, even for mobile apps. Why?
> >
> > A typical mobile application consists of the app itself on the
> device and a corresponding backend service storing user data and
> implementing business and integration logic. Let's assume this
> application features address book import from other service
> providers. W/o OAuth, the app would gather the end-user's credential
> for a certain address book service and pass it to its backend
> service. This service in turn uses this credentials to access the
> service provider's API. So in such a scenario the following parties
> get in touch with the user credentials:
> > - the app
> > - the app's backend service
> > - the address book resource server
>
> With native mobile apps, the client (= app & app backend) isn't it plenty
> enough to be seriously scary if they can screen scrape the credentials
> with impunity? What problem was solved again?
>
> >
> > What threats do you see here? And which is most likely to occur?
> My favorite is an attack against the log files or the database of
> the backend service in order to obtain the end-users passwords for
> the resource server. Why? Because the cost/benefit ratio for an
> attacker is much better then attacking any app installation on a
> device and the protective measure on the resource server might be
> more appropriate then on the client side (backend service).
>
> Botnets prove that either is a successful business model. This isn't a
zero
> sum game, after all.
>
> > OAuth mitigates this kind of attack by reducing the number of
> parties handling user credentials to the authorization server and
> the user agent. So even if the app itself would be the user agent
> (which is not recommended),
>
> Not recommended? It's messed up even thinking of it that way. The
> app is potentially
> *evil*. It really doesn't care what the IETF RECOMMENDS. If it's
> useful for it to be the
> UA, it's going to do just exactly that.
>
> > it would directly interact with the authorization server and the
> app's backend service would use tokens instead of end-user credentials.
>
> The problem here is the capture of end user credentials. I believe that
OAUTH
> defends pretty well in the trusted desktop browser scenario it set
> out to solve
> for. I do not believe that it does that in the new reality of native
> apps, and embedded
> webviews.
>
> | Moreover, the recommended way is to let the app delegate the flow
> to a trusted system
> | component on the user's device, such as the system browser or an
> account manager. In that
> | case, the 3rd party is not getting in touch with the user
> credentials at all.
>
> Again, the Bad Guys are specifically and completely uninterested in
> being good and
> sending it to a trusted component. They will disregard this RECOMMEND
faster
> than you can type it.
> >
> > I think the key question is whether anyone expects OAuth to solve
> the phishing problem. I don't think this is its main purpose, but it
> could facilitate to overcome the habit to enter user credentials
> everywhere. And this in turn may contribute to the fight against
phishing.
>
> There's much more to this than just phishing.
>
> Mike
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email