IETF Logo Mail Archive

Re: [GNAP] security concerns / issues with data in URLs

Fabien Imbault <fabien.imbault@gmail.com> Fri, 20 November 2020 02:29 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D24A53A167E for <txauth@ietfa.amsl.com>; Thu, 19 Nov 2020 18:29:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7aX4VZvY8sL for <txauth@ietfa.amsl.com>; Thu, 19 Nov 2020 18:29:07 -0800 (PST)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBEBE3A167C for <txauth@ietf.org>; Thu, 19 Nov 2020 18:29:07 -0800 (PST)
Received: by mail-io1-xd30.google.com with SMTP id l22so1036852iom.0 for <txauth@ietf.org>; Thu, 19 Nov 2020 18:29:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=O0JU/6UJ6Owzc+t29/TKp4y6+4pSrAWUblgNWbaH9xY=; b=II1BOuvlsTRuh4yfdW5RtFBpYJXOhpnRg0dIkj8qXozbHCWV3wB28YnXOrHzTDVvq2 FiMHrP7U53/OPwQ4dLUu1RJLx/bJyhtoZOushFBY6qARd09lnedE63657C/U4tRGc9OC ohM1M+oYpfBcOM9+2WE44PqIz/xj9Lg1axgdLymqQZnk2Q42oUpcgJ6rwoTIp7UQ1Sr0 pd/RgRln9kE8r4G1AGJsmq12VlKudSik+ReI3opeYXX6vntM28S+Tt/a9/vPAk10IxOY jfqNhGZatSoIsunuHC15hrl2FMd19YCuZN7syRpybHgx8d5mlakugNMcGAclVZ04A/dQ b4aA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=O0JU/6UJ6Owzc+t29/TKp4y6+4pSrAWUblgNWbaH9xY=; b=irjhJCub7yZl/BicK8ngyn2tl+Y3mU4GFfNsCSZxzjfSg+m9Llk/KJICYtgxZ+d3en D9n17rqVgDo1RKKgLp3geyFi5z7mz1USQH45O5qJ48auPVVSfr2Sp3iENg91Oc1MrcTG DVMwWv7I9aWfRKBRwYsWTH/loofsNjG7YLoB9kWBDuMrNOwWSIv/kmuqz1SN1r3y1EZ0 ZCLsVn1yDu5MG6jDJsr9qC0EavXpcYwIx1i8kfaTq3FufbypScouCUsHLr9eG4TzCzat DEJpppCkmgWmlevP0F2wbg1/OF6rwcM05CzOUAR9eLsfYzB61NkUBEtgrBsOj845nKBW t20w==
X-Gm-Message-State: AOAM530AkdT6HfRq6H2q1jp9dmVmLIUqTQBUm6WNYpUoXtocvml7blmk QYeCrgm/IZq7X8j1dYTMIB9CNmYfqG0Wq52Ebfg=
X-Google-Smtp-Source: ABdhPJwTdY2AAHosS52HK0yOhUwpHFgDJIrN2JJPAiyMwhH46HzGPaYRybfaLR+Gdld9ueHGC7K8ICnUfv+moLX4FM0=
X-Received: by 2002:a6b:4401:: with SMTP id r1mr23034834ioa.78.1605839346934; Thu, 19 Nov 2020 18:29:06 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-v-y+R0Pv3K0KYtVe43AxJ8o89BXZ1vsrVYSJ3SS8Fa=Q@mail.gmail.com> <CAGBSGjpXUrcELkbtXfOvMa+8HTGRs8yyomVu0SoLj+NnXAL+HA@mail.gmail.com> <CAD9ie-vZLhbhDdws8UrJA+_QtU+uA7O+-JEJL9aHQsQPNtNmOA@mail.gmail.com> <CAGBSGjqy7ksa7Tm7qC2YB3yxQ9TxXuL+R03VrUKkarFWMh8kvw@mail.gmail.com> <CAD9ie-uJzs3jWNR6JhjJzorhW+bCBr-j3-juwjckg4e2gU9SzQ@mail.gmail.com> <CAGBSGjp6+wLh_CTt1xxhDVQMUa5mMK_75j+gLJKNH72-S=YJVA@mail.gmail.com> <CAD9ie-thP00ShCm17MQKtLcrrNiUtNoKO=Ez-efrfpizf44eJA@mail.gmail.com>
In-Reply-To: <CAD9ie-thP00ShCm17MQKtLcrrNiUtNoKO=Ez-efrfpizf44eJA@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 20 Nov 2020 03:28:54 +0100
Message-ID: <CAM8feuRmmR+COPkEHwV3z+Fee_9htZBpK-5dA1gZOeKNygdn8A@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Aaron Parecki <aaron@parecki.com>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d7279505b4809b11"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/YBXOoyHcCtxbgyZx4cKcCP-8tGc>
Subject: Re: [GNAP] security concerns / issues with data in URLs
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 02:29:10 -0000

Hi Dick,

A requirement (must) brings the nice property that it gives no ambiguity in
the protocol. Having 2 ways of doing things here will hurt more than it
solves anything.

Or is there another linked issue you'd like to address (http headers?)
before we can close this one?

Thanks
Fabien

Le ven. 20 nov. 2020 à 02:24, Dick Hardt <dick.hardt@gmail.com> a écrit :

> Let me clarify -- putting state in what the client sends back to the AS is
> an implementation choice. The protocol does not have to require it, or
> provide it as an option.
> ᐧ
>
> On Thu, Nov 19, 2020 at 5:20 PM Aaron Parecki <aaron@parecki.com> wrote:
>
>> These statements are in conflict with each other:
>>
>> > I agree we should default to a secure stance and not rely on an
>> implementer to deeply understand all the security considerations.
>> and
>> > In GNAP, putting state in an "access token" is an implementation choice.
>>
>> If we give people the option of doing something a less secure way
>> (putting state into the URL), then we have to explain all the security
>> considerations of doing so. By not giving people the option (requiring the
>> access token be sent in a header) then it's secure by default.
>>
>> The risk is if these URLs start containing state, e.g. a JWT, then the
>> contents of the payload may be visible by parties that were not expected to
>> be able to see them, which may have unintended consequences that are not
>> obvious right now.
>>
>> ---
>> Aaron Parecki
>> https://aaronparecki.com
>>
>>
>> On Thu, Nov 19, 2020 at 4:48 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>> I agree we should default to a secure stance and not rely on an
>>> implementer to deeply understand all the security considerations.
>>>
>>> There is a large difference though between the effort in OAuth and
>>> having state in a URL in GNAP.
>>>
>>> In OAuth, an implementation MUST put all the parameters into the
>>> redirect. PAR allows an implementation to not have to do that.
>>>
>>> In GNAP, putting state in an "access token" is an implementation choice.
>>> Given the client is authenticating on each subsequent call, the server can
>>> maintain state on its side, which I think will be in the vast majority of
>>> implementations.
>>>
>>> wrt. state being in the log -- without the client key, what are the
>>> risks that are different from seeing the URLs and methods?
>>>
>>>
>>>
>>> ᐧ
>>>
>>> On Thu, Nov 19, 2020 at 6:55 AM Aaron Parecki <aaron@parecki.com> wrote:
>>>
>>>> You asked specifically what work in the OAuth group I was referring to.
>>>>
>>>> While it’s true that those two concerns I pointed out in OAuth are more
>>>> specifically about the use of the front channel than the fact that the URL
>>>> contains data, there are still concerns with putting data in URLs as
>>>> pointed out already in this thread.
>>>>
>>>> The most straightforward issue is that in practice there are often
>>>> gateways or reverse proxies in front of servers and they may not be aware
>>>> of what’s behind them or that they should avoid logging certain things.
>>>> While it’s certainly possible to deploy this in a way that *is* secure and
>>>> properly configure it to avoid logging where possible, or encrypt data in
>>>> the URL instead of sign it and such, these seem like just additional
>>>> concerns that we’ll need to spell out in a security considerations section
>>>> and are additional ways that an implementation may end up with security
>>>> issues.
>>>>
>>>> Since we have the opportunity to recommend the best path for new
>>>> developments right now, it feels like we should be taking a more secure
>>>> stance on this and avoid creating situations that we need to explain our
>>>> way out of while we can.
>>>>
>>>> Aaron Parecki
>>>>
>>>>
>>>>
>>>> On Wed, Nov 18, 2020 at 5:05 PM Dick Hardt <dick.hardt@gmail.com>
>>>> wrote:
>>>>
>>>>> Got it, thanks!
>>>>>
>>>>> As we know, there is no certainty of who the originator of a redirect
>>>>> was, and there is no assurance about the integrity or secrecy of the URL
>>>>> contents.
>>>>>
>>>>> Those are not the case in GNAP with the client calling the AS -- so
>>>>> what is the risk of having information in the URL?
>>>>>
>>>>> You had mentioned the information leaking into logs -- but the AS
>>>>> controls those logs -- and the logs are a concern, the AS could put an
>>>>> encrypted token in the URL.
>>>>>
>>>>> ᐧ
>>>>>
>>>>> On Wed, Nov 18, 2020 at 3:38 PM Aaron Parecki <aaron@parecki.com>
>>>>> wrote:
>>>>>
>>>>>> I was referring to the work being done to reduce the reliance on the
>>>>>> front channel:
>>>>>>
>>>>>> * Dropping the Implicit grant
>>>>>> * Adding PAR to initiate an OAuth request from a POST request instead
>>>>>> of GET
>>>>>>
>>>>>> ---
>>>>>> Aaron Parecki
>>>>>> https://aaronparecki.com
>>>>>>
>>>>>>
>>>>>> On Wed, Nov 18, 2020 at 3:04 PM Dick Hardt <dick.hardt@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hey Aaron,
>>>>>>>
>>>>>>> In the WG meeting you referenced work in the OAuth WG about removing
>>>>>>> data that is in URLs for security reaasons. Would you elaborate on what you
>>>>>>> were referring to?
>>>>>>>
>>>>>>> /Dick
>>>>>>> ᐧ
>>>>>>>
>>>>>> --
>>>> ---
>>>> Aaron Parecki
>>>> https://aaronparecki.com
>>>>
>>>> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email