Difference between revisions of "Bearer Tokens Considered Harmful"
(→Problems) |
(→Problems) |
||
| Line 8: | Line 8: | ||
Microsoft, ''Man in the Middle.'' https://msdn.microsoft.com/en-us/library/cc247407.aspx</ref> This created several problems, including the one where the SSL connection was terminated at an edge computer and could not be known at the service computer. That was addressed by another hack, Service Binding patented by Mark Novak<ref>Mark Novak +1, ''Service Binding.'' Patent (2014-09-30) us 8850553</ref> where a clear text client service binding value is received from a client at the target server, the client service binding value is compared to a server service binding value, and a communication channel is formed between the client and the target server when the client service binding value matches the server service binding value. The overriding assumption is still that the enterprise controls security. | Microsoft, ''Man in the Middle.'' https://msdn.microsoft.com/en-us/library/cc247407.aspx</ref> This created several problems, including the one where the SSL connection was terminated at an edge computer and could not be known at the service computer. That was addressed by another hack, Service Binding patented by Mark Novak<ref>Mark Novak +1, ''Service Binding.'' Patent (2014-09-30) us 8850553</ref> where a clear text client service binding value is received from a client at the target server, the client service binding value is compared to a server service binding value, and a communication channel is formed between the client and the target server when the client service binding value matches the server service binding value. The overriding assumption is still that the enterprise controls security. | ||
==Problems== | ==Problems== | ||
| − | It was into this environment that OAuth 1.0 (using a convoluted version of shared secrets) morphed into [[OAuth 2.0]] (using public key) which was still based on one computer talking to another computer. Among the many fields that could be addressed was the HTTP header with the type of authorization used, (e.g. Authorization: Bearer mF_9.B5f-4.1JqM). Unfortunately only type bearer is actually supported by any existing implementation. So, in order to expand the functionality of authorization, all modifications to date have been to hack the bearer token in some way to make it more secure. The final solution has been Token Binding<ref>A. Popov +5, Token Binding over HTTP (approved but not yet released RFC) https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/ </ref> only the first of many standards is listing in the draft RFC of 3 to 5 depending on how you count. If you have been counting this is now the hack of a hack of hack. Also known as the great grand hack. | + | It was into this environment that OAuth 1.0 (using a convoluted version of shared secrets) morphed into [[OAuth 2.0]] (using public key) which was still based on one computer talking to another computer. Among the many fields that could be addressed was the HTTP header with the type of authorization used, (e.g. Authorization: Bearer mF_9.B5f-4.1JqM). Unfortunately only type bearer is actually supported by any existing implementation. So, in order to expand the functionality of authorization, all modifications to date have been to hack the bearer token in some way to make it more secure. The final solution has been Token Binding<ref>A. Popov +5, Token Binding over HTTP (approved but not yet released RFC) https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/ </ref> only the first of many standards is listing in the draft RFC of 3 to 5 depending on how you count. If you have been counting this is now the hack of a hack of hack. Also known as the great grand hack. But the real problem with the latest (token binding) hack is that while the earlier hacks could be implemented at the Enterprise level by the same development team, toke binding requires that all developers of internet solutions implement the hack with no security vulnerabilities. That is certain something that has never worked in the past. |
Now we have a large number of people using OAuth 2.0, but increasing evidence that not only can Facebook not get it right,<ref>Thomas Brewster, ''How Facebook Was Hacked And Why It's A Disaster For Internet Security.'' (2018-09-28)Forbes https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and-why-its-a-disaster-for-internet-security/#5a64b0b82033</ref><ref>Issie Lapowsky, ''The Facebook Hack Exposes an Internet-Wide Failure.'' (2018-10-02) Wired https://www.wired.com/story/facebook-hack-single-sign-on-data-exposed/?CNDID=45183233&mbid=nl_100218_daily_list1_p4</ref> but the UK Open Banking community is not convinced that bearer tokens are acceptable for payment protocols. Note that Facebook acknowledged that they "cannot fix this" as early as 2014<ref>Wang Wei, ''Hacking Facebook User 'Access Token' with Man-in-the-Middle Attack'' (2014-03-11)The Hacker News https://thehackernews.com/2014/03/hacking-facebook-user-access-token-with.html</ref> | Now we have a large number of people using OAuth 2.0, but increasing evidence that not only can Facebook not get it right,<ref>Thomas Brewster, ''How Facebook Was Hacked And Why It's A Disaster For Internet Security.'' (2018-09-28)Forbes https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and-why-its-a-disaster-for-internet-security/#5a64b0b82033</ref><ref>Issie Lapowsky, ''The Facebook Hack Exposes an Internet-Wide Failure.'' (2018-10-02) Wired https://www.wired.com/story/facebook-hack-single-sign-on-data-exposed/?CNDID=45183233&mbid=nl_100218_daily_list1_p4</ref> but the UK Open Banking community is not convinced that bearer tokens are acceptable for payment protocols. Note that Facebook acknowledged that they "cannot fix this" as early as 2014<ref>Wang Wei, ''Hacking Facebook User 'Access Token' with Man-in-the-Middle Attack'' (2014-03-11)The Hacker News https://thehackernews.com/2014/03/hacking-facebook-user-access-token-with.html</ref> | ||
Revision as of 18:25, 2 October 2018
Introduction
This paper discusses the limitations of Channel Binding or other half-way measures to fix a broken security feature introduced with OAuth 2.0,[1] Bearer Tokens.[2] The conclusion is that Bearer Tokens themselves are the problem and we need to be working on finding better ways to authorize the release of resources on the web.
History
Given that the internet had its genesis from a DoD grant, it is curious that security has never been part of the design of any of its parts. Security has always been added on afterwards and we continue to struggle with that poor fit between security and openness today. The internet really only supports machine to machine links. This was codified in the Open System Interconnect model (OSI) by the telecommunications monopolies as a means to propagate their control of telecommunications. At the time I was working with Richard desJardins from the NASA to create a User Guide to OSI (UGOSI), which failed in its effort to make a clear case to the user why the OSI model was good for them. That was just one harbinger of the failure of the internet to address user issues which continues to this day. The first security problem, between different enterprises, was addressed by IPSEC which worked well until one of the machines was in possession of the user and could be connected to the internet at any point. Shared secrets between different enterprises no longer works for devices that moved beyond the control of the enterprise.
With the introduction of the user to the security issue, IPSEC (and OSI) was hacked with Channel Binding in RFC 5056 (released 2007-11) which crosses almost all of the OSI levels (from 2 to 7) to give the user control of the secrets used to establish the security channel. This hack has working well for client computers that are attached to a "home" network, in effect allowing the client computer to be treated as "local" to the enterprise networks and inside the enterprise firewall, protected from the hostile internet. Of course the hack was incomplete in that the user controlled client computer could also attach to the raw internet which was the source of external infection vectors. Microsoft introduced a version of channel binding which could also use HTTPS (SSL) connections in Extended Authentication Protocol (EAP) in 2009[3] to address Man-in-the-Middle attacks.[4] This created several problems, including the one where the SSL connection was terminated at an edge computer and could not be known at the service computer. That was addressed by another hack, Service Binding patented by Mark Novak[5] where a clear text client service binding value is received from a client at the target server, the client service binding value is compared to a server service binding value, and a communication channel is formed between the client and the target server when the client service binding value matches the server service binding value. The overriding assumption is still that the enterprise controls security.
Problems
It was into this environment that OAuth 1.0 (using a convoluted version of shared secrets) morphed into OAuth 2.0 (using public key) which was still based on one computer talking to another computer. Among the many fields that could be addressed was the HTTP header with the type of authorization used, (e.g. Authorization: Bearer mF_9.B5f-4.1JqM). Unfortunately only type bearer is actually supported by any existing implementation. So, in order to expand the functionality of authorization, all modifications to date have been to hack the bearer token in some way to make it more secure. The final solution has been Token Binding[6] only the first of many standards is listing in the draft RFC of 3 to 5 depending on how you count. If you have been counting this is now the hack of a hack of hack. Also known as the great grand hack. But the real problem with the latest (token binding) hack is that while the earlier hacks could be implemented at the Enterprise level by the same development team, toke binding requires that all developers of internet solutions implement the hack with no security vulnerabilities. That is certain something that has never worked in the past.
Now we have a large number of people using OAuth 2.0, but increasing evidence that not only can Facebook not get it right,[7][8] but the UK Open Banking community is not convinced that bearer tokens are acceptable for payment protocols. Note that Facebook acknowledged that they "cannot fix this" as early as 2014[9]
Solution
The obvious solution is a different token type in OAuth 2.0, or perhaps even a different version of OAuth, I guess 3.0. The obvious objection will be that "everybody is using OAuth 2.0 with bearer, we have no choice." The obvious answer is "bollocks, let's do this thing right!" Besides, if so few developers are able to handle the security complexity of OAuth 2.0 as it is, then we would be better off with something new that has fewer security holes in it.
References
- ↑ D. Hardt, The OAuth 2.0 Authorization Framework. RFC 6749
- ↑ M. Jones, D. Hardt, The OAuth 2.0 Authorization Framework: Bearer Token Usage. RFC 6750
- ↑ Microsoft SWI, Extended Protection for Authentication. (2009-12-08) https://blogs.technet.microsoft.com/srd/2009/12/08/extended-protection-for-authentication/
- ↑ Microsoft, Man in the Middle. https://msdn.microsoft.com/en-us/library/cc247407.aspx
- ↑ Mark Novak +1, Service Binding. Patent (2014-09-30) us 8850553
- ↑ A. Popov +5, Token Binding over HTTP (approved but not yet released RFC) https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/
- ↑ Thomas Brewster, How Facebook Was Hacked And Why It's A Disaster For Internet Security. (2018-09-28)Forbes https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and-why-its-a-disaster-for-internet-security/#5a64b0b82033
- ↑ Issie Lapowsky, The Facebook Hack Exposes an Internet-Wide Failure. (2018-10-02) Wired https://www.wired.com/story/facebook-hack-single-sign-on-data-exposed/?CNDID=45183233&mbid=nl_100218_daily_list1_p4
- ↑ Wang Wei, Hacking Facebook User 'Access Token' with Man-in-the-Middle Attack (2014-03-11)The Hacker News https://thehackernews.com/2014/03/hacking-facebook-user-access-token-with.html
