Aaron Parecki

Thursday, May 2, 2019

• 
• 

  10:25pm

  Asleep

  6:28am

  Awake

  8h 03m

  Slept

  23m

  Awake for

  

  Mountain View, California, USA

  Thu, May 2, 2019 6:28am -07:00
• 

  Contributions from: Germany, India, United States

  Thu, May 2, 2019 7:09am -07:00
• 

  Contributions from: Germany, India, United Kingdom, United States

  Thu, May 2, 2019 7:26am -07:00
• 

  at Hotel Vue

  Mountain View, California • Thu, May 2, 2019 7:29am

  37.381403 -122.074277

  Mountain View, CA, United States • 49°F

  10 Coins

  Thu, May 2, 2019 7:29am -07:00
• 

  Contributions from: Germany, India, Switzerland, United States

  Thu, May 2, 2019 7:40am -07:00
• 

  at Computer History Museum

  Mountain View, California • Thu, May 2, 2019 7:54am

  37.414456 -122.0775

  Mountain View, CA, United States

  1 Coin

  Thu, May 2, 2019 7:54am -07:00
• 

  Browser APIs have gotten so much better lately! Way easier to do @oauth_2 PKCE in a browser now:
  
  ✅ good random number generators
  ✅ secure hashing functions
  
  Just missing a good base64 encoding function. (Check out the ugly hack in the post.)
  
  https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead#begin-the-pkce-request

  Mountain View, California, USA • 49°F

  5 likes 1 repost 5 replies

  Thu, May 2, 2019 8:25am -07:00 #oauth #javascript #pkce
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?
  

  That's the classic problem with the front-channel (sending data over HTTP redirects in a browser). The sender has no way to know if the receiver got the data, and has no way to tell if it was stolen or copied.

  Mountain View, California • 49°F

  Thu, May 2, 2019 8:31am -07:00
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?
  

  An easy example to see is captive wifi portals where the network intercepts DNS requests and returns a different answer.

  Mountain View, California • 49°F

  Thu, May 2, 2019 8:33am -07:00
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?
  

  Think of it this way: The server is trying to send some sensitive data to the application, but has no direct communication channel, and instead has to trust some other piece of software (the browser) to deliver it.

  Mountain View, California • 49°F

  1 reply

  Thu, May 2, 2019 8:40am -07:00
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk sorry I guess I should have specified "with https". doesn't https' security model encompass this one?
  

  Nope because the browser is still an unknown there, at least from the point of view of the sender of the sensitive data.

  Mountain View, California • 49°F

  1 reply

  Thu, May 2, 2019 9:03am -07:00
• Chris https://twitter.com/gonji96

  PKCE is on my list to implement when no one is watching

  Mountain View, California • 49°F

  Thu, May 2, 2019 3:54pm +00:00 (liked on Thu, May 2, 2019 9:04am -07:00)
• Taxi

  3.70mi

  Distance

  102:40

  Duration

  7:40am

  Start

  9:22am

  End

  

  Mountain View, California • 49°F

  Thu, May 2, 2019 9:22am -07:00
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk but the browser is also the one executing the code that's verifying whether the browser transferred the data correctly? maybe a concrete attack would help me get my head around this better
  

  Here's one: The access token is sent in the address bar, so it becomes part of the browser history. This will be written to disk, and possibly even synced to the browser's "cloud" and then even synced down to other devices.

  Mountain View, California • 49°F

  1 reply

  Thu, May 2, 2019 10:07am -07:00
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk but the browser is also the one executing the code that's verifying whether the browser transferred the data correctly? maybe a concrete attack would help me get my head around this better
  

  Think of it from the PoV of the thing sending the access token. It wants to make sure the AT ends up in the client and isn't stolen along the way. It can't trust the browser's address bar because the browser isn't the thing it's sending the token to, the code in the browser is.

  Mountain View, California • 49°F

  Thu, May 2, 2019 10:13am -07:00
• Eve Maler https://twitter.com/xmlgrrl

  #IIW today is obv going to start with a bang. @justin__richer

  

  Mountain View, California • 49°F

  Thu, May 2, 2019 4:06pm +00:00 (liked on Thu, May 2, 2019 10:14am -07:00) #IIW
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk sure, but a malicious browser could also save the entire js state to disk in exactly the same way (and some do a limited version of this for caching purposes). so it's hard for me to think of that as a security benefit? this is only more secure if everyone along the line behaves exactly in the way you expect it to
  

  Security is never about stopping 100% of attacks, since that's impossible. It's about mitigating risk, and reducing the attack surface.
  
  It's worth reading this whole document even if it is a bit terse. Here's a good example of an unexpected attack on the Implicit flow: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-4.1

  Sunnyvale, California • 49°F

  2 replies

  Thu, May 2, 2019 3:30pm -07:00
• Sebastian Lasse https://mastodon.social/@sl007   •   May 2

  @aaronpk This could save you 4 characters ;))
  return btoa(encodeURIComponent(str)
  .replace(/%([0-9A-F]{2})/g, (m, p1) => String.fromCharCode(parseInt(('0x'+p1), 16))));
  

  hah clever!

  Sunnyvale, California • 49°F

  Thu, May 2, 2019 3:31pm -07:00
• Nico Kaiser https://twitter.com/nicokaiser   •   May 2

  What is your opinion on refresh tokens in client-side apps? The PKCE Auth Code flow allows issuing refresh tokens, so SPAs can refresh their tokens without relying on web_message (possibly cross-domain) iframes. ...
  

  Totally depends on your risk tolerance. Browsers are always a more risky environment, so that's something to keep in mind with refresh tokens.
  
  If you are going to issue refresh tokens to JS, definitely rotate them after every use.

  Sunnyvale, California • 49°F

  1 like

  Thu, May 2, 2019 3:32pm -07:00
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk isn't the section you linked to just as much of a concern under the authorization code flow as the implicit flow? since javascript clients are public clients no matter what?
  

  Nope because PKCE solves the problem of the thing being stolen during the redirect.

  San Jose, California • 49°F

  1 reply

  Thu, May 2, 2019 3:39pm -07:00
• Taxi

  10.54mi

  Distance

  34:47

  Duration

  3:07pm

  Start

  3:42pm

  End

  

  San Jose, California • 49°F

  Thu, May 2, 2019 3:42pm -07:00
• 

  at Norman Y. Mineta San José International Airport (SJC)

  San Jose, California • Thu, May 2, 2019 3:43pm

  37.368438 -121.929042

  San Jose, CA, United States

  10 Coins

  Thu, May 2, 2019 3:43pm -07:00
• 

  at TSA Pre-Check Terminal B

  San Jose, California • Thu, May 2, 2019 3:48pm

  37.365179 -121.924013

  San Jose, CA, United States • 49°F

  4 Coins

  Thu, May 2, 2019 3:48pm -07:00
• 

  at The Club at SJC

  San Jose, California • Thu, May 2, 2019 3:57pm

  37.368421 -121.928393

  San Jose, CA, United States

  8 Coins

  Thu, May 2, 2019 3:57pm -07:00
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk huh? But the redirect_uri is controlled by the same person who controls the code_challenge
  

  That particular attack doesn't assume a malicious browser, that one is improper redirect uri validation. I should probably just write up better explanations of all the attacks in that document but they are all described there.

  San Jose, California • 49°F

  1 reply

  Thu, May 2, 2019 4:17pm -07:00
• Eve Maler https://twitter.com/xmlgrrl

  In @justin__richer’s #IIW “DIDn’t” session: Once more with feeling: Privacy is not secrecy; privacy is not encryption; privacy is context, control, choice, and respect.

  San Jose, California • 49°F

  Thu, May 2, 2019 6:10pm +00:00 (liked on Thu, May 2, 2019 4:18pm -07:00) #IIW
• Drummond Reed https://twitter.com/drummondreed

  At #IIW session on “Is #selfsovereignidentity really possible”, @xmlgrrl Eve Maler offers perhaps the most concise definition of of #privacy I’ve ever heard: “Privacy is context-controlled choice and respect.” Beautiful. And I believe actually possible with #SSI.

  

  San Jose, California • 49°F

  Thu, May 2, 2019 6:07pm +00:00 (liked on Thu, May 2, 2019 4:18pm -07:00) #IIW #selfsovereignidentity #privacy #SSI
• Drummond Reed https://twitter.com/drummondreed

  Biggest laugh at #IIW so far: when @justin__richer in his session on “Is #selfsovereignidentity really possible” turned to Dave Crocker and said that we can all blame him for the Internet not having #security built in from the start.

  

  San Jose, California • 49°F

  Thu, May 2, 2019 6:03pm +00:00 (liked on Thu, May 2, 2019 4:18pm -07:00) #IIW #selfsovereignidentity #security
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk no, I understand that one, I just still don't see how pkce helps improper redirect validation (since the pkce secret and redirect URI come from the same request)
  

  PKCE makes the auth code useless if it's stolen. In PKCE the secret isn't sent out until the access token request.

  San Jose, California • 49°F

  1 reply

  Thu, May 2, 2019 4:21pm -07:00
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk Yes, i get that, but the attacker can make the access token request just as easily as the legitimate client.
  

  No it can't, because the attacker won't have the PKCE secret at that point. (We're talking about the case where the code is stolen out of the redirect through one of many mechanisms)

  San Jose, California • 49°F

  1 reply

  Thu, May 2, 2019 4:26pm -07:00
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk you linked to "Insufficient Redirect URI Validation" though? maybe i'm just confused about what you were talking about.
  

  Right, that's one way to steal data out of the redirect even if the browser is doing everything right.
  
  The attacker creates a redirect url at the hostname of the real app but uses an endpoint on the app that can then redirect to the attackers app. Chaining the redirects using an open redirector.

  San Jose, California • 49°F

  1 reply

  Thu, May 2, 2019 4:30pm -07:00
• Nico Kaiser https://twitter.com/nicokaiser   •   May 2

  ... assuming I can control what JS code runs on my site (which is a different problem), this should be safe, right?
  

  That's a big assumption (you don't know what browser extensions the user is using) but yes that's one way to be more confident. I wouldn't use absolute terms like "safe" though. "Less risky" maybe.

  San Jose, California • 49°F

  Thu, May 2, 2019 4:31pm -07:00
• alianora https://cybre.space/@nightpool   •   May 2

  @aaronpk Yep, but in that case the attacker controls the redirect uri right? how can the attacker control the redirect uri without also controlling the pkce secret?
  

  I'm trying to explain this in 200 character chunks but it clearly isn't working. I also can't find an existing page quickly that explains it better, so clearly I need to properly write it up.

  San Jose, California • 49°F

  1 reply

  Thu, May 2, 2019 4:41pm -07:00
• 

  at Gate 27

  San Jose, California • Thu, May 2, 2019 5:20pm

  37.364881 -121.92392

  San Jose, CA, United States

  7 Coins

  Thu, May 2, 2019 5:20pm -07:00
• San Jose (SJC) to Portland (PDX)

  May 2, 2019 from 6:00pm to 7:45pm (-0700)

  Alaska Flight 309

  

  Portland Intl in Portland

  1 mention

  permalink #okta #oauth #iiw
• Plane

  647.44mi

  Distance

  96:01

  Duration

  5:48pm

  Start

  7:25pm

  End

  

  Portland, Oregon • 49°F

  Thu, May 2, 2019 7:25pm -07:00
• Train

  9.02mi

  Distance

  23:19

  Duration

  7:39pm

  Start

  8:02pm

  End

  

  Portland, Oregon • 49°F

  Thu, May 2, 2019 8:02pm -07:00
• Lillian Karabaic https://twitter.com/anomalily

  Just found out that @juliensolomita used my suggestion in his most recent video to do a mac + cheese tasteoff and I am STOKED. Because I love nothing more than some vegan mac. https://www.youtube.com/watch?v=EBv5A7NC2eI

  

  Portland, Oregon • 49°F

  Fri, May 3, 2019 12:02am +00:00 (liked on Thu, May 2, 2019 8:22pm -07:00)