IETF Logo Mail Archive

Re: [GNAP] security concerns / issues with data in URLs

Dick Hardt <dick.hardt@gmail.com> Thu, 19 November 2020 01:05 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F9E43A1094 for <txauth@ietfa.amsl.com>; Wed, 18 Nov 2020 17:05:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.682
X-Spam-Level:
X-Spam-Status: No, score=-0.682 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GXMAX2a-IBzh for <txauth@ietfa.amsl.com>; Wed, 18 Nov 2020 17:05:14 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 055743A1093 for <txauth@ietf.org>; Wed, 18 Nov 2020 17:05:13 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id u19so5796293lfr.7 for <txauth@ietf.org>; Wed, 18 Nov 2020 17:05:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cjdLnxLM+GxviJ/LQvobw2P4LMhxqUdVjfhRMjjZPgs=; b=vIn05qmMsRsCP5FfjjXr7nUXj6AJkhbqtYTpkhOjtaaVoK/E8whmseeAhQ14w7ZU+V sWT24ezIOSm5VWbOt7Qw73jf69/cva+lbPDpkhmUYdG+9MRbtPhpp52Wa6TWjAMcA/nE v6MPiSvlhPzPoDqFSRED/ftww5irp32NH/cA21g1F6M398pI2E8eT7odZ2RjKz1lX+KW s+cuoWZInCW4wzKhwMqOOiTilaGMId6iGHxFuoBX+frM1OYUNOSeskMF1IzsxOJUwEbC F9lzGQ3seyWl9cG3B7IqIJZc5KwnibEQEhbPemt9epPDEa0aId9sYzfYf0XAHj0C8l+s E99w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cjdLnxLM+GxviJ/LQvobw2P4LMhxqUdVjfhRMjjZPgs=; b=Fi9c2IIfX6toXVSLYl6e2atozdfFrnIzVsf4TsKePkXneoYfpEekT0RxtWhdI2D/qN OecUT0Q1N2JWbrDtA29TVGgpItDKCQ6z0MReOljI5djX/zrJzhWp+D5NaS2ayAmQ7hFr /si/WiHR+QmuFakh1SdAZbpdXwifmonCXz0LiB7tI2JY5oXNqLr87Cg7JwSbvfDPUgmv ZC6UNj2/9fflYKLSpP5KTvYshWVMdaXxzOfi3cZNZwZBc/f2QKkAw7SOcR7NM92P4d02 odPjAhxR5B84AsZwqxy7C7JmVO4Eu1G+oS3rBQO7nLmfgoIQK8FINJXU/SrSrFmrOKrV 3NVQ==
X-Gm-Message-State: AOAM531XGPGAiC/KjiX4sIAdNpRNC9di+0RMiyBbQG8OgGoFrw79/wH8 G7xuiCqx0dAav4VVUStyDMDcKCAw05QBtB22kpM=
X-Google-Smtp-Source: ABdhPJxBD7igaYBlc4eXDX6McONsNuQEDviUtd2L/Zy5wHO1MFkLRBX44jqkhuTTJbHGJ7cA+gozqOPcb8Du/PqPiRc=
X-Received: by 2002:a05:6512:3137:: with SMTP id p23mr4464068lfd.67.1605747911683; Wed, 18 Nov 2020 17:05:11 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-v-y+R0Pv3K0KYtVe43AxJ8o89BXZ1vsrVYSJ3SS8Fa=Q@mail.gmail.com> <CAGBSGjpXUrcELkbtXfOvMa+8HTGRs8yyomVu0SoLj+NnXAL+HA@mail.gmail.com>
In-Reply-To: <CAGBSGjpXUrcELkbtXfOvMa+8HTGRs8yyomVu0SoLj+NnXAL+HA@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 18 Nov 2020 17:04:35 -0800
Message-ID: <CAD9ie-vZLhbhDdws8UrJA+_QtU+uA7O+-JEJL9aHQsQPNtNmOA@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dff1ec05b46b5115"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/MywSqABjHmCODMKKC-BwXomJwag>
Subject: Re: [GNAP] security concerns / issues with data in URLs
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 01:05:16 -0000

Got it, thanks!

As we know, there is no certainty of who the originator of a redirect was,
and there is no assurance about the integrity or secrecy of the URL
contents.

Those are not the case in GNAP with the client calling the AS -- so what is
the risk of having information in the URL?

You had mentioned the information leaking into logs -- but the AS controls
those logs -- and the logs are a concern, the AS could put an encrypted
token in the URL.

ᐧ

On Wed, Nov 18, 2020 at 3:38 PM Aaron Parecki <aaron@parecki.com> wrote:

> I was referring to the work being done to reduce the reliance on the front
> channel:
>
> * Dropping the Implicit grant
> * Adding PAR to initiate an OAuth request from a POST request instead of
> GET
>
> ---
> Aaron Parecki
> https://aaronparecki.com
>
>
> On Wed, Nov 18, 2020 at 3:04 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> Hey Aaron,
>>
>> In the WG meeting you referenced work in the OAuth WG about removing data
>> that is in URLs for security reaasons. Would you elaborate on what you were
>> referring to?
>>
>> /Dick
>> ᐧ
>>
>

v2.23.0 | Report a Bug | By Email