Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: New Version Notification for draft-fett-oauth-dpop-03.txt

2019-12-02 Thread Richard Backman, Annabelle 
> Session cookies serve the same purpose in web apps as access tokens for APIs 
> but there are much more web apps than APIs. I use the analogy to illustrate 
> that either there are security issues with cloud deployments of web apps or 
> the techniques used to secure web apps are ok for APIs as well.

"Security issues" is a loaded term, but if you mean that there are practical 
risks that are not addressed by bearer tokens (whether they be session cookies 
or access tokens) then yes, I think we both agree that there are. Otherwise we 
wouldn't be discussing PoP, sender-constrained tokens, etc. TLS-based solutions 
mitigate some risks, while leaving others unmitigated. Depending on your use 
case and threat model, these risks may or may not present practical threats. 
For my use cases, they do.

Ultimately I'd like to mitigate these risks for both service APIs and web 
applications. My focus is on service APIs for a couple reasons:

1. Interoperability is more important when the sender and recipient aren't 
necessarily owned by a single entity. I can do proprietary things in JavaScript 
if I want to just as I can in client SDKs, but this breaks down if my API 
implements a standard protocol and is expected to work with off-the-shelf 
clients and/or implementations from other vendors.

2. Web applications are just a special subset of service APIs that happens to 
be accessed via a browser. A solution for service APIs ought to be reusable for 
web applications, or at least serve as a foundation for their solution.

>- Have you seen this kind of proxies intercepting the connection from 
> on-prem service deployments to service provider? I’m asking because I thought 
> the main use case was to intercept employees PC internet traffic.

I'm working from second-hand knowledge here, but like most things in the 
enterprise world, it depends. Separating employee device outbound traffic from 
internal service outbound traffic requires some level of sophistication, be it 
in network topology, routing rules, or configuration rules on the TLIS 
appliance. 

>- Are you saying this kind of proxy does not support mutual TLS at all?

From what I understand, at the very least mTLS is not universally supported. 
There may be some vendors that support it, but it's not guaranteed. The 
documentation for Symantec's SSL Visibility product [1] indicates that sessions 
using client certificates will be rejected unless they are exempted based on 
destination whitelisting (which is problematic when the destination may be a 
general-purpose cloud service provider).

> On the other hand, I would expect these kind of proxy to understand a lot 
> about the protocols running through it, otherwise they cannot fulfil their 
> task of inspecting this traffic.

Maybe, maybe not. In any case there's a difference between understanding HTTP 
or SMTP or P2P-protocol-du-jour and understanding the application-level 
protocol running on top of HTTP. There hasn't been any need for these proxies 
to understand OAuth 2.0 thus far.

[1]: 
https://origin-symwisedownload.symantec.com/resources/webguides/sslv/45/Content/Topics/troubleshooting/Support_for_Client_Cert.htm
– 
Annabelle Richard Backman
AWS Identity


On 12/1/19, 7:41 AM, "Torsten Lodderstedt" 
 wrote:


Annabelle,

> Am 27.11.2019 um 02:46 schrieb Richard Backman, Annabelle 
:
> 
> Torsten,
> 
> I'm not tracking how cookies are relevant to the discussion.

I’m still trying to understand why you and others argue mTLS cannot be used 
in public cloud deployments (and thus focus on application level PoP).

Session cookies serve the same purpose in web apps as access tokens for 
APIs but there are much more web apps than APIs. I use the analogy to 
illustrate that either there are security issues with cloud deployments of web 
apps or the techniques used to secure web apps are ok for APIs as well.

Here are the two main arguments and my conclusions/questions:  

1) mTLS it’s not end 2 end: although that’s true from a connection 
perspective, there are solutions employed to secure the last hop(s) between TLS 
terminating proxy and service (private net, VPN, TLS). That works and is 
considered secure enough for (session) cookies, it should be the same for 
access tokens.

2) TLS terminating proxies do not forward cert data: if the service itself 
terminates TLS this is feasible, we do it for our public-cloud-hosted 
mTLS-protected APIs. If TLS termination is provided by a component run by the 
cloud provider, the question is: is this component able to forward the client 
certificate to the service? If not, web apps using certs for authentication 
cannot be supported straightway by the cloud provider. Any insights?

> I'm guessing that's because we're not on the same page regarding use 
cases, so allow me to clearly state mine:

I think we are, we are just focusing on different ends of the TLS tunnel.

Re: [OAUTH-WG] OAuth 2.0 Security Best Current Practice | Issue in Mix-Up Countermeasure

2019-12-02 Thread Daniel Fett 
Am 02.12.19 um 10:05 schrieb Christian Mainka:
> I think this problem is not only restricted to the redirect_uri.
> Regarding countermeasure (1), also the A-AS can return the same
> client_id as the client uses on the H-AS.
>
> TL;DR: In countermeasure (1), only the issuer prevents MixUp, the
> client_id parameter can be faked as well during the registration of the
> client (especially if Dynamic Client Registration is used).

What would be the issuer identifiers of A-AS and H-AS in this case be,
as seen by the client?

-Daniel


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.0 Security Best Current Practice | Issue in Mix-Up Countermeasure

2019-12-02 Thread Christian Mainka 
Hi Daniel,

I think this problem is not only restricted to the redirect_uri.
Regarding countermeasure (1), also the A-AS can return the same
client_id as the client uses on the H-AS.

TL;DR: In countermeasure (1), only the issuer prevents MixUp, the
client_id parameter can be faked as well during the registration of the
client (especially if Dynamic Client Registration is used).

Regards
Christian

On 26.11.19 15:20, Daniel Fett wrote:
> Hi Karsten,
>
> Very interesting observation!
>
> My gut feeling is that this is the real problem here:
>
> Am 26.11.19 um 14:24 schrieb Karsten Meyer zu Selhausen:
>> Depending on its implementation the client might simply extract all data
>> contained in the Client Information Response and use it for
>> authorizations with the specific AS.
>> We were able to confirm that one popular open-source library behaves in
>> this exact way. It stores the redirect URI contained in the Client
>> Information Response and uses it for Authorization Requests with the
>> A-AS although it differs from the redirect URI in the Client
>> Registration Request.
> The client uses untrusted, unverified data to make its decision on what
> redirect URI to use.
>
> Nonetheless, we should definitely mention this in the BCP!
>
>> In our opinion this makes the countermeasure "AS-specific redirect URIs"
>> obsolete and we believe the other countermeasure described in the BCP
>> (adding an AS identifier and the client_id of the intended recipient to
>> AS's responses) should be used to prevent Mix-Up attacks. If the
>> involved entities use the OIDC hybrid flow this countermeasure is
>> automatically applied.
> These are more intrusive changes than the per-AS redirect URI and may
> require new parameters.
>
> Daniel
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Dr.-Ing. Christian Mainka
Horst Görtz Institute for IT-Security 
Chair for Network and Data Security 
Ruhr-University Bochum, Germany

Universitätsstr. 150, ID 2/463
D-44801 Bochum, Germany

Telefon: +49 (0) 234 / 32-26796
Fax: +49 (0) 234 / 32-14347
http://nds.rub.de/chair/people/cmainka/
@CheariX


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth