IETF Logo Mail Archive

Re: [GNAP] security concerns / issues with data in URLs

Aaron Parecki <aaron@parecki.com> Thu, 19 November 2020 14:55 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AA493A09EA for <txauth@ietfa.amsl.com>; Thu, 19 Nov 2020 06:55:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2DUMywbeIE7x for <txauth@ietfa.amsl.com>; Thu, 19 Nov 2020 06:55:29 -0800 (PST)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B23123A09F1 for <txauth@ietf.org>; Thu, 19 Nov 2020 06:55:29 -0800 (PST)
Received: by mail-io1-xd2f.google.com with SMTP id u21so6334774iol.12 for <txauth@ietf.org>; Thu, 19 Nov 2020 06:55:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iUitUInNY53a9VIg6V/NuFYRbFxx91DpbhNEFZZvXq4=; b=iqHcClSctfrXn/m/OYtJ91IHxIaiBKIlBnTkPfTNTzMJXG5DqhgDLlnJfna5HRyKC5 rfXvOSIoMFNLoTaa+T1J0mZgvLHpcGqLp1vVoBVqRfGIOm3DGFQzbQHP//Z6GrIQ20nw OjeTBZYXDeW6c3uYmbH6iNJoXYkum6cwaX/GUuhKLxBsSQxo+K+eNOadDiOjSVryEtA/ Ho2qP1BDpSAgnURo0MPsx4To1V3fy0D/e+2cL/Kmj/foe3XgN7a5Mro4GZ31TNQPMPWe rTgBckStwSg0foUUpoxCMWPCRwlvCQ0asv4DGtJnj2N3RNCe43T96MFEw3Y+weVhveF2 qFuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iUitUInNY53a9VIg6V/NuFYRbFxx91DpbhNEFZZvXq4=; b=KSNH+xZg4i8/+exRZlWEfexIu6VtLjG6U5KF0q/Pe3UzCm6c7/jv82nqe+X30UMtpP I484J1JhugY/CALKtJX75Nc8bM8I7v8eyB9cbdEjs3BWOsYVGGejqi5sjiuSven9sX2A eTpYXTNpM8mqfDScVEgrRO3hZZJ1E+qDN1rTHYJ1rtO0E+ytHKNDXrZZ5+ipMUpR6oR6 ZPGMhBJVNR6IELJtkm2ZmNuzTn7zSACx2YgDMd3spSnP1nR8crCLHt1OHhOaDgfgo/aF zfI2n0SwsS8j/e5kRN6KhC37VrevR/2cLtBS4U4r9l96LRab8C1pzQncktUwQyP0Llxs V4/g==
X-Gm-Message-State: AOAM531705G/00GpeDUfImhkQU3mgkdL9POftMoS7GeM7D9WUFqCiacS QD1ebht4KkpIy1c1vipXzo90hN5us8sSGA==
X-Google-Smtp-Source: ABdhPJwW2PD152+cYelwHvYywhHovGK1YvHyr4xmErjp4EMuBPBJeKYONT/aiptbwKIHxYNOBW5AWA==
X-Received: by 2002:a5e:aa17:: with SMTP id s23mr21652094ioe.179.1605797728171; Thu, 19 Nov 2020 06:55:28 -0800 (PST)
Received: from mail-il1-f182.google.com (mail-il1-f182.google.com. [209.85.166.182]) by smtp.gmail.com with ESMTPSA id o8sm14074358ioo.20.2020.11.19.06.55.26 for <txauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 19 Nov 2020 06:55:27 -0800 (PST)
Received: by mail-il1-f182.google.com with SMTP id y9so5619544ilb.0 for <txauth@ietf.org>; Thu, 19 Nov 2020 06:55:26 -0800 (PST)
X-Received: by 2002:a92:c5d0:: with SMTP id s16mr20008906ilt.17.1605797726655; Thu, 19 Nov 2020 06:55:26 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-v-y+R0Pv3K0KYtVe43AxJ8o89BXZ1vsrVYSJ3SS8Fa=Q@mail.gmail.com> <CAGBSGjpXUrcELkbtXfOvMa+8HTGRs8yyomVu0SoLj+NnXAL+HA@mail.gmail.com> <CAD9ie-vZLhbhDdws8UrJA+_QtU+uA7O+-JEJL9aHQsQPNtNmOA@mail.gmail.com>
In-Reply-To: <CAD9ie-vZLhbhDdws8UrJA+_QtU+uA7O+-JEJL9aHQsQPNtNmOA@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Thu, 19 Nov 2020 06:55:16 -0800
X-Gmail-Original-Message-ID: <CAGBSGjqy7ksa7Tm7qC2YB3yxQ9TxXuL+R03VrUKkarFWMh8kvw@mail.gmail.com>
Message-ID: <CAGBSGjqy7ksa7Tm7qC2YB3yxQ9TxXuL+R03VrUKkarFWMh8kvw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000014212d05b476eb6f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/mW1GMtUskn9mmoM9cno5evfkLRQ>
Subject: Re: [GNAP] security concerns / issues with data in URLs
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 14:55:31 -0000

You asked specifically what work in the OAuth group I was referring to.

While it’s true that those two concerns I pointed out in OAuth are more
specifically about the use of the front channel than the fact that the URL
contains data, there are still concerns with putting data in URLs as
pointed out already in this thread.

The most straightforward issue is that in practice there are often gateways
or reverse proxies in front of servers and they may not be aware of what’s
behind them or that they should avoid logging certain things. While it’s
certainly possible to deploy this in a way that *is* secure and properly
configure it to avoid logging where possible, or encrypt data in the URL
instead of sign it and such, these seem like just additional concerns that
we’ll need to spell out in a security considerations section and are
additional ways that an implementation may end up with security issues.

Since we have the opportunity to recommend the best path for new
developments right now, it feels like we should be taking a more secure
stance on this and avoid creating situations that we need to explain our
way out of while we can.

Aaron Parecki



On Wed, Nov 18, 2020 at 5:05 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> Got it, thanks!
>
> As we know, there is no certainty of who the originator of a redirect was,
> and there is no assurance about the integrity or secrecy of the URL
> contents.
>
> Those are not the case in GNAP with the client calling the AS -- so what
> is the risk of having information in the URL?
>
> You had mentioned the information leaking into logs -- but the AS controls
> those logs -- and the logs are a concern, the AS could put an encrypted
> token in the URL.
>
> ᐧ
>
> On Wed, Nov 18, 2020 at 3:38 PM Aaron Parecki <aaron@parecki.com> wrote:
>
>> I was referring to the work being done to reduce the reliance on the
>> front channel:
>>
>> * Dropping the Implicit grant
>> * Adding PAR to initiate an OAuth request from a POST request instead of
>> GET
>>
>> ---
>> Aaron Parecki
>> https://aaronparecki.com
>>
>>
>> On Wed, Nov 18, 2020 at 3:04 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>> Hey Aaron,
>>>
>>> In the WG meeting you referenced work in the OAuth WG about removing
>>> data that is in URLs for security reaasons. Would you elaborate on what you
>>> were referring to?
>>>
>>> /Dick
>>> ᐧ
>>>
>> --
---
Aaron Parecki
https://aaronparecki.com

v2.23.0 | Report a Bug | By Email