IETF Logo Mail Archive

Re: [GNAP] security concerns / issues with data in URLs

Dick Hardt <dick.hardt@gmail.com> Fri, 20 November 2020 04:00 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 603673A17AB for <txauth@ietfa.amsl.com>; Thu, 19 Nov 2020 20:00:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kebKvjhwGU0T for <txauth@ietfa.amsl.com>; Thu, 19 Nov 2020 20:00:35 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B06843A17AA for <txauth@ietf.org>; Thu, 19 Nov 2020 20:00:34 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id w142so11495060lff.8 for <txauth@ietf.org>; Thu, 19 Nov 2020 20:00:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1lVVWsnnYu9TzeQxs3ajX0JPswhHh8VWWKVcZR6B3eE=; b=q/t8wHHEnjgbTpIhOG4tGgYwNhU2pZp/aE3oUHEpPZQRvAgUWnjIRryFP8AWYgkCJS 8gxkKwOjxTk6dRfy1Ny1k0sHQ7DYA/ByTmg5f889ycY/HaHXEl4mfvNMPjb90tdQX5JG zjWF1t9/NE+v3PYD2o4PIscVwZtKzo7drFHmWIUD0JugYaHECzzVOiMxxUqUVffKUBdG gAD8ieb9yc3lHP8vjex+DGDyXPkLLzCklhK65PqibVkCJoC6lkDmlgFbQyiTX9eD9PwC 9M7Zxchkzzn0m30Xu1EblRPM1UgkqrKDeVd24iKR+VOW6IKICyZMS4kIb04wR6+bvKtb +tUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1lVVWsnnYu9TzeQxs3ajX0JPswhHh8VWWKVcZR6B3eE=; b=B2Lqvs7NusWK32jw95ZjLjbK41eiflRMyQYmVWIctN03om2JO0csFdqD/8ZeGJOiGf vE5knk111Kp8IZIOfz9PX/3NC04oEloQLlysgA4YdhCxR+SG60rFExt+7m+3OTaDSjtk s6dffbxf3DbSS5NCkl67KD0Lf1YJRbYmOY+M1iVrmBVqqvXZrvLbP89SJBMijubPi2XH nr2SCLWDe60fxVhDleHLFag1cUqhApkueNJRJ660/t6ARXFa44J1h/qv1se9pJSs0FzX uY8yUKXrT/AhHT7JImXkval6I5+TAkEsiBDp8p84AMjAmTk9Oxdb6pJlIcYySDESKP0r 5FKA==
X-Gm-Message-State: AOAM533UyBm/5AUyfAk4nX5mBlb8ZIIbtaUCVTXaa3+ACpCacQe+D1Ok C65kf0Qoq58wVDL0A0zstP197l2QYFPqWK3tJp8=
X-Google-Smtp-Source: ABdhPJzOSjpNsdJq17l/vWPw/KwXvX1oubikhUa7mV/nqF1MaTXZmk5pz2rjGG4n5SWMNPotQNOG4ZuPiPwkp175bII=
X-Received: by 2002:a05:6512:6c5:: with SMTP id u5mr7559875lff.316.1605844832536; Thu, 19 Nov 2020 20:00:32 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-v-y+R0Pv3K0KYtVe43AxJ8o89BXZ1vsrVYSJ3SS8Fa=Q@mail.gmail.com> <CAGBSGjpXUrcELkbtXfOvMa+8HTGRs8yyomVu0SoLj+NnXAL+HA@mail.gmail.com> <CAD9ie-vZLhbhDdws8UrJA+_QtU+uA7O+-JEJL9aHQsQPNtNmOA@mail.gmail.com> <CAGBSGjqy7ksa7Tm7qC2YB3yxQ9TxXuL+R03VrUKkarFWMh8kvw@mail.gmail.com> <CAD9ie-uJzs3jWNR6JhjJzorhW+bCBr-j3-juwjckg4e2gU9SzQ@mail.gmail.com> <CAGBSGjp6+wLh_CTt1xxhDVQMUa5mMK_75j+gLJKNH72-S=YJVA@mail.gmail.com> <CAD9ie-thP00ShCm17MQKtLcrrNiUtNoKO=Ez-efrfpizf44eJA@mail.gmail.com> <CAM8feuRmmR+COPkEHwV3z+Fee_9htZBpK-5dA1gZOeKNygdn8A@mail.gmail.com> <CAD9ie-trkxsn-8yhTtfe1dPjLwCpvS+ZkeygfWgiwTFNAeMwog@mail.gmail.com> <CAM8feuTj9WC+AEontvKXBhBXPmXZtVi21DKS6zQ155L3cp5JQg@mail.gmail.com>
In-Reply-To: <CAM8feuTj9WC+AEontvKXBhBXPmXZtVi21DKS6zQ155L3cp5JQg@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 19 Nov 2020 19:59:56 -0800
Message-ID: <CAD9ie-t0-rAZ4me=xLxLjWKm3kCv1q06dVfjmoRNgAVPDXteFw@mail.gmail.com>
To: Fabien Imbault <fabien.imbault@gmail.com>
Cc: Aaron Parecki <aaron@parecki.com>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cecdab05b481e2ff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/3X0UnIV6a3bPwcq-BPhQX0cfQMI>
Subject: Re: [GNAP] security concerns / issues with data in URLs
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 04:00:37 -0000

Got it.

I have not yet had time to go over the issues and comment. I did look at
67, and I have a fair amount of feedback on it that I hope to provide soon.

ᐧ

On Thu, Nov 19, 2020 at 7:17 PM Fabien Imbault <fabien.imbault@gmail.com>
wrote:

> I was referring to issue 67, discussed during the call (and during which
> Aaron made the comment you're discussing in the current thread).
>
> Fabien
>
> Le ven. 20 nov. 2020 à 03:59, Dick Hardt <dick.hardt@gmail.com> a écrit :
>
>> Hi Fabien
>>
>> While I agree that a MUST removes ambiguity -- I'm not sure what issue
>> you are referring to that can be closed as I was not referring to any
>> specific issue.
>>
>> I was getting clarity on what the security issues were in having state in
>> the URL.
>>
>> The issue seems to be state information in logs.
>>
>> While the same issue exists with OAuth redirects, which were held up as
>> an example in the GNAP WG meeting, there are many more security issues with
>> the OAuth redirect that do not apply to having state in a GNAP URL.
>>
>>
>>
>> ᐧ
>>
>> On Thu, Nov 19, 2020 at 6:29 PM Fabien Imbault <fabien.imbault@gmail.com>
>> wrote:
>>
>>> Hi Dick,
>>>
>>> A requirement (must) brings the nice property that it gives no ambiguity
>>> in the protocol. Having 2 ways of doing things here will hurt more than it
>>> solves anything.
>>>
>>> Or is there another linked issue you'd like to address (http headers?)
>>> before we can close this one?
>>>
>>> Thanks
>>> Fabien
>>>
>>> Le ven. 20 nov. 2020 à 02:24, Dick Hardt <dick.hardt@gmail.com> a
>>> écrit :
>>>
>>>> Let me clarify -- putting state in what the client sends back to the AS
>>>> is an implementation choice. The protocol does not have to require it, or
>>>> provide it as an option.
>>>> ᐧ
>>>>
>>>> On Thu, Nov 19, 2020 at 5:20 PM Aaron Parecki <aaron@parecki.com>
>>>> wrote:
>>>>
>>>>> These statements are in conflict with each other:
>>>>>
>>>>> > I agree we should default to a secure stance and not rely on an
>>>>> implementer to deeply understand all the security considerations.
>>>>> and
>>>>> > In GNAP, putting state in an "access token" is an implementation
>>>>> choice.
>>>>>
>>>>> If we give people the option of doing something a less secure way
>>>>> (putting state into the URL), then we have to explain all the security
>>>>> considerations of doing so. By not giving people the option (requiring the
>>>>> access token be sent in a header) then it's secure by default.
>>>>>
>>>>> The risk is if these URLs start containing state, e.g. a JWT, then the
>>>>> contents of the payload may be visible by parties that were not expected to
>>>>> be able to see them, which may have unintended consequences that are not
>>>>> obvious right now.
>>>>>
>>>>> ---
>>>>> Aaron Parecki
>>>>> https://aaronparecki.com
>>>>>
>>>>>
>>>>> On Thu, Nov 19, 2020 at 4:48 PM Dick Hardt <dick.hardt@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I agree we should default to a secure stance and not rely on an
>>>>>> implementer to deeply understand all the security considerations.
>>>>>>
>>>>>> There is a large difference though between the effort in OAuth and
>>>>>> having state in a URL in GNAP.
>>>>>>
>>>>>> In OAuth, an implementation MUST put all the parameters into the
>>>>>> redirect. PAR allows an implementation to not have to do that.
>>>>>>
>>>>>> In GNAP, putting state in an "access token" is an implementation
>>>>>> choice. Given the client is authenticating on each subsequent call, the
>>>>>> server can maintain state on its side, which I think will be in the vast
>>>>>> majority of implementations.
>>>>>>
>>>>>> wrt. state being in the log -- without the client key, what are the
>>>>>> risks that are different from seeing the URLs and methods?
>>>>>>
>>>>>>
>>>>>>
>>>>>> ᐧ
>>>>>>
>>>>>> On Thu, Nov 19, 2020 at 6:55 AM Aaron Parecki <aaron@parecki.com>
>>>>>> wrote:
>>>>>>
>>>>>>> You asked specifically what work in the OAuth group I was referring
>>>>>>> to.
>>>>>>>
>>>>>>> While it’s true that those two concerns I pointed out in OAuth are
>>>>>>> more specifically about the use of the front channel than the fact that the
>>>>>>> URL contains data, there are still concerns with putting data in URLs as
>>>>>>> pointed out already in this thread.
>>>>>>>
>>>>>>> The most straightforward issue is that in practice there are often
>>>>>>> gateways or reverse proxies in front of servers and they may not be aware
>>>>>>> of what’s behind them or that they should avoid logging certain things.
>>>>>>> While it’s certainly possible to deploy this in a way that *is* secure and
>>>>>>> properly configure it to avoid logging where possible, or encrypt data in
>>>>>>> the URL instead of sign it and such, these seem like just additional
>>>>>>> concerns that we’ll need to spell out in a security considerations section
>>>>>>> and are additional ways that an implementation may end up with security
>>>>>>> issues.
>>>>>>>
>>>>>>> Since we have the opportunity to recommend the best path for new
>>>>>>> developments right now, it feels like we should be taking a more secure
>>>>>>> stance on this and avoid creating situations that we need to explain our
>>>>>>> way out of while we can.
>>>>>>>
>>>>>>> Aaron Parecki
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Nov 18, 2020 at 5:05 PM Dick Hardt <dick.hardt@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Got it, thanks!
>>>>>>>>
>>>>>>>> As we know, there is no certainty of who the originator of a
>>>>>>>> redirect was, and there is no assurance about the integrity or secrecy of
>>>>>>>> the URL contents.
>>>>>>>>
>>>>>>>> Those are not the case in GNAP with the client calling the AS -- so
>>>>>>>> what is the risk of having information in the URL?
>>>>>>>>
>>>>>>>> You had mentioned the information leaking into logs -- but the AS
>>>>>>>> controls those logs -- and the logs are a concern, the AS could put an
>>>>>>>> encrypted token in the URL.
>>>>>>>>
>>>>>>>> ᐧ
>>>>>>>>
>>>>>>>> On Wed, Nov 18, 2020 at 3:38 PM Aaron Parecki <aaron@parecki.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> I was referring to the work being done to reduce the reliance on
>>>>>>>>> the front channel:
>>>>>>>>>
>>>>>>>>> * Dropping the Implicit grant
>>>>>>>>> * Adding PAR to initiate an OAuth request from a POST request
>>>>>>>>> instead of GET
>>>>>>>>>
>>>>>>>>> ---
>>>>>>>>> Aaron Parecki
>>>>>>>>> https://aaronparecki.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, Nov 18, 2020 at 3:04 PM Dick Hardt <dick.hardt@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hey Aaron,
>>>>>>>>>>
>>>>>>>>>> In the WG meeting you referenced work in the OAuth WG about
>>>>>>>>>> removing data that is in URLs for security reaasons. Would you elaborate on
>>>>>>>>>> what you were referring to?
>>>>>>>>>>
>>>>>>>>>> /Dick
>>>>>>>>>> ᐧ
>>>>>>>>>>
>>>>>>>>> --
>>>>>>> ---
>>>>>>> Aaron Parecki
>>>>>>> https://aaronparecki.com
>>>>>>>
>>>>>>> --
>>>> TXAuth mailing list
>>>> TXAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>
>>>

v2.23.0 | Report a Bug | By Email