IETF Logo Mail Archive

Re: [GNAP] security concerns / issues with data in URLs

Aaron Parecki <aaron@parecki.com> Fri, 20 November 2020 01:20 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A62443A1483 for <txauth@ietfa.amsl.com>; Thu, 19 Nov 2020 17:20:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qP88yZcHNVlZ for <txauth@ietfa.amsl.com>; Thu, 19 Nov 2020 17:20:13 -0800 (PST)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9E003A1481 for <txauth@ietf.org>; Thu, 19 Nov 2020 17:20:13 -0800 (PST)
Received: by mail-io1-xd34.google.com with SMTP id d17so8261284ion.4 for <txauth@ietf.org>; Thu, 19 Nov 2020 17:20:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MHnuPV7j8cj0WshaSfvftH1YiiowQk3zVjwKFCUXCyg=; b=Cd1cJgr42yfVmhFERca+p+hJpE5bCZxYOt0GgRZMI4yAZNqWYgEyHx8X9s27LhDRUk vJJaPm8HRxnXyIgigfO4u8FvWA9Ao2I4WT6S9Q+omcQbxIxyj0wg7hYz00Ol0vO9eCOq Frr3xkz8b8mD6fHtOIUpDJOkq2koAM0SLIVz0cGmnTeQj3ONgDdSiXe7969RzeP7+XVW GQv5Nc/o6APmU4YA/HMHvLvvw84A3jPNaPGRr62NMOL0IVfTqBI7n32KkMGn8DRktnfk YN6RjwejqvQtXOGF97KcMeE/MfFxMmY9+pb08b2041aH5RjN1qF4fvhk3Ss/YxruqIRe PEqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MHnuPV7j8cj0WshaSfvftH1YiiowQk3zVjwKFCUXCyg=; b=G3MTUt0bgqDkr6Esc0qNYSf2u2uaTsPIZJNd9BoNNxfiCEUS5iaGOBAGoZmOZqtw3/ H5yLLNgm90iCAjUumc7ImVgJQcwo86RRNAP4uHkHj3pand5hwQAacZ+h0hxRbkFnCTxn 7nbbUnP5rJSsGzpeuPTBmlFeRIN4I5f5qdVU4ixr2l4gpoXKBEookMZh+CNFMcpfqWO5 DHFL3ZBAvbHpiGFZzR+ywKYm92TmERSxeXZGrm/4ijaxoWt306eBLMKeBodj5edTDr4l nDHS+gJ5Rc6e2WctjVySnsnN4oEsEpXLXsOBqmYqtMXY6WGr9kYEjMnDquE4wP/CJgJl MBZQ==
X-Gm-Message-State: AOAM530uX1x0QLbNKIuswn5lh3FpBnCZSu5dQWpLK1pScuc7/2lObD9B KvFgTLPEUkN0JqdbOMAiCKNhTK0kIyVRhA==
X-Google-Smtp-Source: ABdhPJyPZRLMT1nd5JwEoLyoHOzlNBFHgQHdlzrcbeWT2lx8q485GbiNtLuwK/iloJ8PWY5hOh3jpw==
X-Received: by 2002:a02:ce83:: with SMTP id y3mr16720445jaq.31.1605835212118; Thu, 19 Nov 2020 17:20:12 -0800 (PST)
Received: from mail-io1-f48.google.com (mail-io1-f48.google.com. [209.85.166.48]) by smtp.gmail.com with ESMTPSA id w18sm743887ilq.32.2020.11.19.17.20.10 for <txauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 19 Nov 2020 17:20:10 -0800 (PST)
Received: by mail-io1-f48.google.com with SMTP id i9so8264482ioo.2 for <txauth@ietf.org>; Thu, 19 Nov 2020 17:20:10 -0800 (PST)
X-Received: by 2002:a05:6638:1212:: with SMTP id n18mr14215486jas.38.1605835210201; Thu, 19 Nov 2020 17:20:10 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-v-y+R0Pv3K0KYtVe43AxJ8o89BXZ1vsrVYSJ3SS8Fa=Q@mail.gmail.com> <CAGBSGjpXUrcELkbtXfOvMa+8HTGRs8yyomVu0SoLj+NnXAL+HA@mail.gmail.com> <CAD9ie-vZLhbhDdws8UrJA+_QtU+uA7O+-JEJL9aHQsQPNtNmOA@mail.gmail.com> <CAGBSGjqy7ksa7Tm7qC2YB3yxQ9TxXuL+R03VrUKkarFWMh8kvw@mail.gmail.com> <CAD9ie-uJzs3jWNR6JhjJzorhW+bCBr-j3-juwjckg4e2gU9SzQ@mail.gmail.com>
In-Reply-To: <CAD9ie-uJzs3jWNR6JhjJzorhW+bCBr-j3-juwjckg4e2gU9SzQ@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Thu, 19 Nov 2020 17:19:59 -0800
X-Gmail-Original-Message-ID: <CAGBSGjp6+wLh_CTt1xxhDVQMUa5mMK_75j+gLJKNH72-S=YJVA@mail.gmail.com>
Message-ID: <CAGBSGjp6+wLh_CTt1xxhDVQMUa5mMK_75j+gLJKNH72-S=YJVA@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000045a25405b47fa515"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/WNTXKMTtmLTPkDyib9zY8fA9ZCg>
Subject: Re: [GNAP] security concerns / issues with data in URLs
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 01:20:16 -0000

These statements are in conflict with each other:

> I agree we should default to a secure stance and not rely on an
implementer to deeply understand all the security considerations.
and
> In GNAP, putting state in an "access token" is an implementation choice.

If we give people the option of doing something a less secure way (putting
state into the URL), then we have to explain all the security
considerations of doing so. By not giving people the option (requiring the
access token be sent in a header) then it's secure by default.

The risk is if these URLs start containing state, e.g. a JWT, then the
contents of the payload may be visible by parties that were not expected to
be able to see them, which may have unintended consequences that are not
obvious right now.

---
Aaron Parecki
https://aaronparecki.com


On Thu, Nov 19, 2020 at 4:48 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> I agree we should default to a secure stance and not rely on an
> implementer to deeply understand all the security considerations.
>
> There is a large difference though between the effort in OAuth and having
> state in a URL in GNAP.
>
> In OAuth, an implementation MUST put all the parameters into the redirect.
> PAR allows an implementation to not have to do that.
>
> In GNAP, putting state in an "access token" is an implementation choice.
> Given the client is authenticating on each subsequent call, the server can
> maintain state on its side, which I think will be in the vast majority of
> implementations.
>
> wrt. state being in the log -- without the client key, what are the risks
> that are different from seeing the URLs and methods?
>
>
>
> ᐧ
>
> On Thu, Nov 19, 2020 at 6:55 AM Aaron Parecki <aaron@parecki.com> wrote:
>
>> You asked specifically what work in the OAuth group I was referring to.
>>
>> While it’s true that those two concerns I pointed out in OAuth are more
>> specifically about the use of the front channel than the fact that the URL
>> contains data, there are still concerns with putting data in URLs as
>> pointed out already in this thread.
>>
>> The most straightforward issue is that in practice there are often
>> gateways or reverse proxies in front of servers and they may not be aware
>> of what’s behind them or that they should avoid logging certain things.
>> While it’s certainly possible to deploy this in a way that *is* secure and
>> properly configure it to avoid logging where possible, or encrypt data in
>> the URL instead of sign it and such, these seem like just additional
>> concerns that we’ll need to spell out in a security considerations section
>> and are additional ways that an implementation may end up with security
>> issues.
>>
>> Since we have the opportunity to recommend the best path for new
>> developments right now, it feels like we should be taking a more secure
>> stance on this and avoid creating situations that we need to explain our
>> way out of while we can.
>>
>> Aaron Parecki
>>
>>
>>
>> On Wed, Nov 18, 2020 at 5:05 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>> Got it, thanks!
>>>
>>> As we know, there is no certainty of who the originator of a redirect
>>> was, and there is no assurance about the integrity or secrecy of the URL
>>> contents.
>>>
>>> Those are not the case in GNAP with the client calling the AS -- so what
>>> is the risk of having information in the URL?
>>>
>>> You had mentioned the information leaking into logs -- but the AS
>>> controls those logs -- and the logs are a concern, the AS could put an
>>> encrypted token in the URL.
>>>
>>> ᐧ
>>>
>>> On Wed, Nov 18, 2020 at 3:38 PM Aaron Parecki <aaron@parecki.com> wrote:
>>>
>>>> I was referring to the work being done to reduce the reliance on the
>>>> front channel:
>>>>
>>>> * Dropping the Implicit grant
>>>> * Adding PAR to initiate an OAuth request from a POST request instead
>>>> of GET
>>>>
>>>> ---
>>>> Aaron Parecki
>>>> https://aaronparecki.com
>>>>
>>>>
>>>> On Wed, Nov 18, 2020 at 3:04 PM Dick Hardt <dick.hardt@gmail.com>
>>>> wrote:
>>>>
>>>>> Hey Aaron,
>>>>>
>>>>> In the WG meeting you referenced work in the OAuth WG about removing
>>>>> data that is in URLs for security reaasons. Would you elaborate on what you
>>>>> were referring to?
>>>>>
>>>>> /Dick
>>>>> ᐧ
>>>>>
>>>> --
>> ---
>> Aaron Parecki
>> https://aaronparecki.com
>>
>>

v2.23.0 | Report a Bug | By Email