Re: [GNAP] security concerns / issues with data in URLs
Fabien Imbault <fabien.imbault@gmail.com> Fri, 20 November 2020 04:37 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD2F93A1840 for <txauth@ietfa.amsl.com>; Thu, 19 Nov 2020 20:37:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JYiC7sVgx3z1 for <txauth@ietfa.amsl.com>; Thu, 19 Nov 2020 20:37:37 -0800 (PST)
Received: from mail-il1-x12e.google.com (mail-il1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B7653A183F for <txauth@ietf.org>; Thu, 19 Nov 2020 20:37:37 -0800 (PST)
Received: by mail-il1-x12e.google.com with SMTP id y18so7400874ilp.13 for <txauth@ietf.org>; Thu, 19 Nov 2020 20:37:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZjAQ6gAzyzyvREpsLK5RFiHMyiHSLp7cgc7uNQ6yuhc=; b=mA97L/pAXG5gB6tJHK6z2UsoAtpntQnF+o5rv7RbZLn5mHGFVY2gV7UXOPxn1V/k1j PkWA/pzO+OsUBHt3FvStYKtxLOpp9pb4I8RGC6UKrFykx93R7S5y7/2npT8JJDGh0b4o Ia78vRUWqqgU4/gDj2o94k3vrYShfw6pJPBGtTxkTGvDGyj/BV0KmEpdfNY3gbHnBZco Mo60lS6eRlWbhJjRJ0h2LelbdPQ3HNuo8/lpAcpsUhUf/oGBVo+CdPdNBNP0Zs3dOIP8 6Et4CaN73UvfFA9Y9YDoFJHv5/WMxpRQEuRYgcBpqA3Kj3+XSZFKXyFx7GRaVHgkskEb h5KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZjAQ6gAzyzyvREpsLK5RFiHMyiHSLp7cgc7uNQ6yuhc=; b=le3DNY+9UlOxGqdacoCf9U2LcRZAs2V2/H5R5NvJGFrRoG9mg5uqv7jULDqwD3b9YZ /re0u8VL6yMdjjjvX9duZSfnEXBsgZ+0cXKT38n+/UDZLn0nTpgtz/kLrURquaxCfxmR 8tl/KwtEDjChBpd4GLVSN24g+GAm91U63An/EyEcTjX4eE9BEtzddloH7vCSyP7s7tFV ta1GgW95tY0ehFl8l3RUtxLPvf6fZ8liEpCTk3meVnfKjHE/i1SrbN85rixXr11zis3R ky74GuTGPp9sMAJxLlu3dM9KJX/KD5dAsl9lGEphWND/cwM2rEpIoRSf4nsTQtbw7J4I wBxQ==
X-Gm-Message-State: AOAM530lVMqQk7Jgl0qhmRzeBJ4ci3v5NrQpDzleSSqJE3feBbDKmyOI NI5f+sgMKW4SridT3C+xkI2S9VWxCXkQ5bX504k=
X-Google-Smtp-Source: ABdhPJx8zRIcub/a2q51epwtgK/OxTB7h7fFR5mFljeQnFiSAf1MuKDUb9ogSvgjFDq5wuiDsRAEYvpuigZYBBCiZBI=
X-Received: by 2002:a92:d489:: with SMTP id p9mr7820650ilg.123.1605847056777; Thu, 19 Nov 2020 20:37:36 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-v-y+R0Pv3K0KYtVe43AxJ8o89BXZ1vsrVYSJ3SS8Fa=Q@mail.gmail.com> <CAGBSGjpXUrcELkbtXfOvMa+8HTGRs8yyomVu0SoLj+NnXAL+HA@mail.gmail.com> <CAD9ie-vZLhbhDdws8UrJA+_QtU+uA7O+-JEJL9aHQsQPNtNmOA@mail.gmail.com> <CAGBSGjqy7ksa7Tm7qC2YB3yxQ9TxXuL+R03VrUKkarFWMh8kvw@mail.gmail.com> <CAD9ie-uJzs3jWNR6JhjJzorhW+bCBr-j3-juwjckg4e2gU9SzQ@mail.gmail.com> <CAGBSGjp6+wLh_CTt1xxhDVQMUa5mMK_75j+gLJKNH72-S=YJVA@mail.gmail.com> <CAD9ie-thP00ShCm17MQKtLcrrNiUtNoKO=Ez-efrfpizf44eJA@mail.gmail.com> <CAM8feuRmmR+COPkEHwV3z+Fee_9htZBpK-5dA1gZOeKNygdn8A@mail.gmail.com> <CAD9ie-trkxsn-8yhTtfe1dPjLwCpvS+ZkeygfWgiwTFNAeMwog@mail.gmail.com> <CAM8feuTj9WC+AEontvKXBhBXPmXZtVi21DKS6zQ155L3cp5JQg@mail.gmail.com> <CAD9ie-t0-rAZ4me=xLxLjWKm3kCv1q06dVfjmoRNgAVPDXteFw@mail.gmail.com>
In-Reply-To: <CAD9ie-t0-rAZ4me=xLxLjWKm3kCv1q06dVfjmoRNgAVPDXteFw@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 20 Nov 2020 05:37:23 +0100
Message-ID: <CAM8feuQUTSG_yaFKZuL-fLJ8F-ZZY3S9_XWbKeb+gbkrMKkrmw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Aaron Parecki <aaron@parecki.com>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000062081805b4826773"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Kr8-SGR2BqTk-JPZRBq7i6Zcyuw>
Subject: Re: [GNAP] security concerns / issues with data in URLs
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 04:37:40 -0000
Great. Le ven. 20 nov. 2020 à 05:00, Dick Hardt <dick.hardt@gmail.com> a écrit : > Got it. > > I have not yet had time to go over the issues and comment. I did look at > 67, and I have a fair amount of feedback on it that I hope to provide soon. > > ᐧ > > On Thu, Nov 19, 2020 at 7:17 PM Fabien Imbault <fabien.imbault@gmail.com> > wrote: > >> I was referring to issue 67, discussed during the call (and during which >> Aaron made the comment you're discussing in the current thread). >> >> Fabien >> >> Le ven. 20 nov. 2020 à 03:59, Dick Hardt <dick.hardt@gmail.com> a écrit : >> >>> Hi Fabien >>> >>> While I agree that a MUST removes ambiguity -- I'm not sure what issue >>> you are referring to that can be closed as I was not referring to any >>> specific issue. >>> >>> I was getting clarity on what the security issues were in having state >>> in the URL. >>> >>> The issue seems to be state information in logs. >>> >>> While the same issue exists with OAuth redirects, which were held up as >>> an example in the GNAP WG meeting, there are many more security issues with >>> the OAuth redirect that do not apply to having state in a GNAP URL. >>> >>> >>> >>> ᐧ >>> >>> On Thu, Nov 19, 2020 at 6:29 PM Fabien Imbault <fabien.imbault@gmail.com> >>> wrote: >>> >>>> Hi Dick, >>>> >>>> A requirement (must) brings the nice property that it gives no >>>> ambiguity in the protocol. Having 2 ways of doing things here will hurt >>>> more than it solves anything. >>>> >>>> Or is there another linked issue you'd like to address (http headers?) >>>> before we can close this one? >>>> >>>> Thanks >>>> Fabien >>>> >>>> Le ven. 20 nov. 2020 à 02:24, Dick Hardt <dick.hardt@gmail.com> a >>>> écrit : >>>> >>>>> Let me clarify -- putting state in what the client sends back to the >>>>> AS is an implementation choice. The protocol does not have to require it, >>>>> or provide it as an option. >>>>> ᐧ >>>>> >>>>> On Thu, Nov 19, 2020 at 5:20 PM Aaron Parecki <aaron@parecki.com> >>>>> wrote: >>>>> >>>>>> These statements are in conflict with each other: >>>>>> >>>>>> > I agree we should default to a secure stance and not rely on an >>>>>> implementer to deeply understand all the security considerations. >>>>>> and >>>>>> > In GNAP, putting state in an "access token" is an implementation >>>>>> choice. >>>>>> >>>>>> If we give people the option of doing something a less secure way >>>>>> (putting state into the URL), then we have to explain all the security >>>>>> considerations of doing so. By not giving people the option (requiring the >>>>>> access token be sent in a header) then it's secure by default. >>>>>> >>>>>> The risk is if these URLs start containing state, e.g. a JWT, then >>>>>> the contents of the payload may be visible by parties that were not >>>>>> expected to be able to see them, which may have unintended consequences >>>>>> that are not obvious right now. >>>>>> >>>>>> --- >>>>>> Aaron Parecki >>>>>> https://aaronparecki.com >>>>>> >>>>>> >>>>>> On Thu, Nov 19, 2020 at 4:48 PM Dick Hardt <dick.hardt@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> I agree we should default to a secure stance and not rely on an >>>>>>> implementer to deeply understand all the security considerations. >>>>>>> >>>>>>> There is a large difference though between the effort in OAuth and >>>>>>> having state in a URL in GNAP. >>>>>>> >>>>>>> In OAuth, an implementation MUST put all the parameters into the >>>>>>> redirect. PAR allows an implementation to not have to do that. >>>>>>> >>>>>>> In GNAP, putting state in an "access token" is an implementation >>>>>>> choice. Given the client is authenticating on each subsequent call, the >>>>>>> server can maintain state on its side, which I think will be in the vast >>>>>>> majority of implementations. >>>>>>> >>>>>>> wrt. state being in the log -- without the client key, what are the >>>>>>> risks that are different from seeing the URLs and methods? >>>>>>> >>>>>>> >>>>>>> >>>>>>> ᐧ >>>>>>> >>>>>>> On Thu, Nov 19, 2020 at 6:55 AM Aaron Parecki <aaron@parecki.com> >>>>>>> wrote: >>>>>>> >>>>>>>> You asked specifically what work in the OAuth group I was referring >>>>>>>> to. >>>>>>>> >>>>>>>> While it’s true that those two concerns I pointed out in OAuth are >>>>>>>> more specifically about the use of the front channel than the fact that the >>>>>>>> URL contains data, there are still concerns with putting data in URLs as >>>>>>>> pointed out already in this thread. >>>>>>>> >>>>>>>> The most straightforward issue is that in practice there are often >>>>>>>> gateways or reverse proxies in front of servers and they may not be aware >>>>>>>> of what’s behind them or that they should avoid logging certain things. >>>>>>>> While it’s certainly possible to deploy this in a way that *is* secure and >>>>>>>> properly configure it to avoid logging where possible, or encrypt data in >>>>>>>> the URL instead of sign it and such, these seem like just additional >>>>>>>> concerns that we’ll need to spell out in a security considerations section >>>>>>>> and are additional ways that an implementation may end up with security >>>>>>>> issues. >>>>>>>> >>>>>>>> Since we have the opportunity to recommend the best path for new >>>>>>>> developments right now, it feels like we should be taking a more secure >>>>>>>> stance on this and avoid creating situations that we need to explain our >>>>>>>> way out of while we can. >>>>>>>> >>>>>>>> Aaron Parecki >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Nov 18, 2020 at 5:05 PM Dick Hardt <dick.hardt@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Got it, thanks! >>>>>>>>> >>>>>>>>> As we know, there is no certainty of who the originator of a >>>>>>>>> redirect was, and there is no assurance about the integrity or secrecy of >>>>>>>>> the URL contents. >>>>>>>>> >>>>>>>>> Those are not the case in GNAP with the client calling the AS -- >>>>>>>>> so what is the risk of having information in the URL? >>>>>>>>> >>>>>>>>> You had mentioned the information leaking into logs -- but the AS >>>>>>>>> controls those logs -- and the logs are a concern, the AS could put an >>>>>>>>> encrypted token in the URL. >>>>>>>>> >>>>>>>>> ᐧ >>>>>>>>> >>>>>>>>> On Wed, Nov 18, 2020 at 3:38 PM Aaron Parecki <aaron@parecki.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> I was referring to the work being done to reduce the reliance on >>>>>>>>>> the front channel: >>>>>>>>>> >>>>>>>>>> * Dropping the Implicit grant >>>>>>>>>> * Adding PAR to initiate an OAuth request from a POST request >>>>>>>>>> instead of GET >>>>>>>>>> >>>>>>>>>> --- >>>>>>>>>> Aaron Parecki >>>>>>>>>> https://aaronparecki.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Nov 18, 2020 at 3:04 PM Dick Hardt <dick.hardt@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hey Aaron, >>>>>>>>>>> >>>>>>>>>>> In the WG meeting you referenced work in the OAuth WG about >>>>>>>>>>> removing data that is in URLs for security reaasons. Would you elaborate on >>>>>>>>>>> what you were referring to? >>>>>>>>>>> >>>>>>>>>>> /Dick >>>>>>>>>>> ᐧ >>>>>>>>>>> >>>>>>>>>> -- >>>>>>>> --- >>>>>>>> Aaron Parecki >>>>>>>> https://aaronparecki.com >>>>>>>> >>>>>>>> -- >>>>> TXAuth mailing list >>>>> TXAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>> >>>>
- [GNAP] security concerns / issues with data in UR… Dick Hardt
- Re: [GNAP] security concerns / issues with data i… Aaron Parecki
- Re: [GNAP] security concerns / issues with data i… Dick Hardt
- Re: [GNAP] security concerns / issues with data i… Leif Johansson
- Re: [GNAP] security concerns / issues with data i… Kyle Larose
- Re: [GNAP] security concerns / issues with data i… Aaron Parecki
- Re: [GNAP] security concerns / issues with data i… Dick Hardt
- Re: [GNAP] security concerns / issues with data i… Aaron Parecki
- Re: [GNAP] security concerns / issues with data i… Dick Hardt
- Re: [GNAP] security concerns / issues with data i… Fabien Imbault
- Re: [GNAP] security concerns / issues with data i… Dick Hardt
- Re: [GNAP] security concerns / issues with data i… Fabien Imbault
- Re: [GNAP] security concerns / issues with data i… Dick Hardt
- Re: [GNAP] security concerns / issues with data i… Fabien Imbault