On Sep 6, 2011, at 4:10 PM, Michael Thomas wrote: > John Kemp wrote: >> On Sep 6, 2011, at 3:49 PM, Michael Thomas wrote: >>> Except in the desktop web world, I choose from a *tiny* set of browsers: >>> chrome, firefox, opera, and, uh, ie. To a lesser or greater extent, I don't >>> expect that the browsers themselves are malicious. Which is a pretty ok >>> assumption. >> It is? I would certainly question it. The WebKit WebView is embeddable in >> the C/C++ programming languages and APIs are available for that on most >> platforms - all are open to the same attacks you mention. How about the >> plugins you get for your browser from various places - they could have key >> loggers too. It's also possible for an app delivered from a server to >> present a login form that looks like it is from Twitter, but is actually >> from an attacker site. Such attacks are very common indeed, and don't >> require a key logger. They do require the user to "trust" the app though, >> just as the user would need to trust the key logger he installed. > > I didn't say they weren't embeddable elsewhere. I just gave my example. And > if I don't > use plugins, the browser is relatively trustable, especially in comparison to > standalone > apps -- on desktop *or* phone, etc.
Again, I disagree. As a user, I should pay attention to the sites I visit - as much as I should pay attention to the apps I download. > > >>> With embedded web views, that assumption goes out the window. There are >>> 100's of thousands of apps, all of which can use webviews. I have no way >>> to know if a given app is evil or not, and *lots* of apps provide facebook >>> and twitter integration. Not because they're evil, but because that's what's >>> expected by users. So the use model of oauth in this case is *very* >>> different >>> than the desktop use case. >> I disagree. If anything, because desktop machines tend to be less >> 'locked-down' than mobile platforms (app stores for desktops followed app >> stores for mobile platforms), they are more widely open to abuse. > > I can tell you from experience that Android absolutely doesn't check anything > of this > sort, and it would take extremely deep voodoo for Apple to do the same: they > never see > source. I believe that both Apple and Google *do attempt* to prevent malware from getting into their stores. > > So the reality is that neither are trustable. This I agree with ;) > >>> But I'm being told that use cases aren't the problem of oauth. I'd say that >>> there has all along been a hidden assumption that the browser was >>> a trusted entity. >> The point is simply that if you can subvert the actual platform, then OAuth >> problems are the least of your worries (as a user). > > People keep saying that to deflect criticism, but I don't buy it. Other > protocols aren't > availing an attacker to user credentials to third party servers by simply > snooping on the > webview key traffic in an otherwise completely normal use pattern. HTTP Auth? Web form login? > > Have you ever signed on to facebook in an app before? Frankly, not too often, no, since these apps usually ask for far more authority than I believe is necessary for the purpose of using the app. - John > > Mike > >> - John >>> Since it isn't always, it should be very explicit in the >>> protocol, threats, and security considerations of what could happen if it's >>> not. >>> >>> Mike, frankly this is why apps do suck but i'm not king of the world >>> >>>> -- Justin >>>> On Tue, 2011-09-06 at 15:28 -0400, Michael Thomas wrote: >>>>> Melinda Shore wrote: >>>>>> On 09/06/2011 11:11 AM, Jill Burrows wrote: >>>>>>> I repeat, it is not an OAuth problem. >>>>>> If I'm reading Mike correctly (and if I'm not it won't be the >>>>>> first time I've misunderstood him), he's not really asking for >>>>>> OAUTH to solve this particular problem but to clarify the >>>>>> documents and beef up discussions of what is and is not in >>>>>> scope. He read the document and couldn't figure out whether >>>>>> or not this particular problem is the business of the working >>>>>> group. >>>>> I'm fairly certain that if somebody were deploying oauth for their servers >>>>> that unless the document told me that oauth doesn't provide protection >>>>> against third party snooping if it's embedded in any app, most people >>>>> wouldn't >>>>> have a clue that that was a dangerous assumption. >>>>> >>>>> What this says is that oauth only works in one use case, and that only the >>>>> user can tell the difference. Given the proliferation of phone apps and >>>>> embedded webviews, it seems that the original assumptions of oauth are >>>>> no longer up to date. >>>>> >>>>> Mike >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
