Re: [Wish] Can a client switch tokens?
Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Sat, 13 January 2024 16:46 UTC
Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E93BC14F5E7 for <wish@ietfa.amsl.com>; Sat, 13 Jan 2024 08:46:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sLTxYwy4l1F4 for <wish@ietfa.amsl.com>; Sat, 13 Jan 2024 08:46:35 -0800 (PST)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F45BC14F5E6 for <wish@ietf.org>; Sat, 13 Jan 2024 08:46:35 -0800 (PST)
Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-5591bd0e3f1so89525a12.0 for <wish@ietf.org>; Sat, 13 Jan 2024 08:46:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705164394; x=1705769194; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8VVW+5GbbUpJA2Xq9uFAuzir+qb/5lYR5j762bn7vnE=; b=QntalcQ63gB3uB5pnwEfixsybubXbj8NiwpoNkwU9JmTzMBydXih8XwlO8B2uJ2jyA Ub056ksi/98V+Syda+lfLDRXTeabmuzA8s4qURyhARi389VHIgHOJ59PHaYX2vlwLKop 3mP2qMAF292F9lG+2ubU8Bypytdi1s3rvMjMu+LMrX+NOJZP97LRzlUKFRTbbY3alCxv uHOImx3O2UKfWMULCc9jCwmiBjPzNojxUPeziraihf7sdzpZ/SCFFIozlNHBdMWb7laL uMy6TAi4MLBGaknKUe9qJJ6JMwqc1SJFzbPQm1mSMk8mtYxRZ+JFON40zX6tGqApL7RL oXow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705164394; x=1705769194; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8VVW+5GbbUpJA2Xq9uFAuzir+qb/5lYR5j762bn7vnE=; b=SZg5ztLkX3grsMGjtrUiQycsXJT8pEabYHvP8pEyYNa7m802qofAOoDXqPcqTN9NG2 yonGP3Jzg42nFqzz0nwbne96EwxS6t03oeC8PmhJgJtQcMZKEAw1WHxhqzcACvPUA5eZ kdD50gAR1kmEGf6CPSc5m5LLgMSX5ETMCyzCzGIsS+I66myHYaiEoZXp7JddWvH0GgSP ucANFOze0TjirxJ0uwLUWIto19dYeU7q8RADQwDtUo3y7IXb9ZjGRYHgXfAyaJHqZIC1 CwNMwXwVgAfwuB7rsYmytgJp0epqINPqCuHcdpTtsOqV2S8in3D6dE4XF3B3xgfzFt2a ezrw==
X-Gm-Message-State: AOJu0YwZV5VoId6Pz6/Y4lE1pPDS3/ky5ddcmFUIMUC5SYkgyiS6qS0U S3opEZRIX4DrO94TcokdsPR4yiaSzbzWhlXgeQOx5GtI
X-Google-Smtp-Source: AGHT+IFBkVeXH/F+SdW/A+8fojQy41ZMVNdYX8/LFREmCy1lkG81RYWzc7JmIo5l13UeUXfH2Yf1sV/+Xy5Vc3VGzGQ=
X-Received: by 2002:aa7:d956:0:b0:558:c158:58 with SMTP id l22-20020aa7d956000000b00558c1580058mr1153744eds.31.1705164393595; Sat, 13 Jan 2024 08:46:33 -0800 (PST)
MIME-Version: 1.0
References: <87v87x46xu.wl-jch@irif.fr>
In-Reply-To: <87v87x46xu.wl-jch@irif.fr>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Sat, 13 Jan 2024 17:46:22 +0100
Message-ID: <CA+ag07a0E7itrUONH8c8skZU_-bw_-bddjZtCa8Sho7YhL2WCQ@mail.gmail.com>
To: Juliusz Chroboczek <jch@irif.fr>
Cc: WISH List <wish@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f6c6f8060ed685d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/FEFByflnF9oSB1tMYcHWAGJsbtA>
Subject: Re: [Wish] Can a client switch tokens?
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jan 2024 16:46:39 -0000
This is already covered on the security section: Insecure direct object references (IDOR) on the WHIP session locations: If the URLs returned by the WHIP endpoint for the WHIP sessions location are easy to guess, it would be possible for an attacker to send multiple HTTP DELETE requests and terminate all the WHIP sessions currently running. In order to prevent this scenario, WHIP endpoints SHOULD generate URLs with enough randomness, using a cryptographically secure pseudorandom number generator following the best practices in Randomness Requirements for Security [RFC4086], and implement a rate limit and avalanche control mechanism for HTTP DELETE requests. The security considerations for Universally Unique IDentifier (UUID) [RFC4122] Section 6 are applicable for generating the WHIP sessions location URL. You could restrict the http requests to the ip doing the initial http post if you don't support ice restarts Best regards Sergio El sáb, 13 ene 2024, 15:57, Juliusz Chroboczek <jch@irif.fr> escribió: > Hi, > > Suppose I issue a token T1 to a client, and the client uses T1 to create > a WHIP session. > > C->S: POST(T1) offer > S->C: answer, Location: endpoint > > Suppose now that I issue a second token T2. Is it legal for the client to > use T2 with the endpoint that was created with token T1? > > C->S: DELETE(T2) endpoint > S->C: 200 or 401? > > I can see pros and cons to both approaches. > > If we allow the token to change, then unless the endpoint URL is kept > secret, a client might be able to destroy the session of a different > client, instant DoS. > > If we don't allow the token to change, then we either need to ensure that > tokens have a sufficient lifetime, or specify that the token used for > creating a session may be used with that session even if it has expired. > > Galene currently does the following: > > - it keeps the session URL secret; > - it enforces that the token used in PATCH/DELETE is the same as the one > that was used when creating the session; > - it allows the use of expired tokens in PATCH/DELETE (we simply compare > tokens, and ignore their properties at PATCH/DELETE time). > > I'm looking for implementation advice. I'm not asking for normative > language to be included in the draft (although an informative appendix > might be helpful). > > Thanks, > > -- Juliusz > > -- > Wish mailing list > Wish@ietf.org > https://www.ietf.org/mailman/listinfo/wish >
- [Wish] Can a client switch tokens? Juliusz Chroboczek
- Re: [Wish] Can a client switch tokens? Juliusz Chroboczek
- Re: [Wish] Can a client switch tokens? Sergio Garcia Murillo
- Re: [Wish] Can a client switch tokens? Juliusz Chroboczek
- Re: [Wish] Can a client switch tokens? Sergio Garcia Murillo
- Re: [Wish] Can a client switch tokens? Juliusz Chroboczek
- Re: [Wish] Can a client switch tokens? Sergio Garcia Murillo