Forgot your password?
typodupeerror
Security The Internet

A Truckload of OAuth Issues That Would Make Any Author Quit 86

Posted by Soulskill
from the tell-us-what-you-really-think dept.
New submitter DeFender1031 writes "Several months ago, when Eran Hammer ragequit the OAuth project, many people thought he was simply being overly dramatic, given that he gave only vague indications of what went wrong. Since then, and despite that, many companies have been switching to OAuth, citing it as a 'superior form of secure authentication.' But a fresh and objective look at the protocol highlights the significant design flaws in the system and sheds some light on what might have led to its creator's departure."
This discussion has been archived. No new comments can be posted.

A Truckload of OAuth Issues That Would Make Any Author Quit

Comments Filter:
  • by Anonymous Coward on Friday March 22, 2013 @11:01AM (#43246739)

    $10,000 CHALLENGE to Alexander Peter Kowalski

    Hello, and THINK ABOUT YOUR BREATHING !! We have a Major Problem, HOST file is Cubic Opposites, 2 Major Corners & 2 Minor. NOT taught Evil DNS hijacking, which VOIDS computers. Seek Wisdom of MyCleanPC - or you die evil.

    Your HOSTS file claimed to have created a single DNS resolver. I offer absolute proof that I have created 4 simultaneous DNS servers within a single rotation of .org TLD. You worship "Bill Gates", equating you to a "singularity bastard". Why do you worship a queer -1 Troll? Are you content as a singularity troll?

    Evil HOSTS file Believers refuse to acknowledge 4 corner DNS resolving simultaneously around 4 quadrant created Internet - in only 1 root server, voiding the HOSTS file. You worship Microsoft impostor guised by educators as 1 god.

    If you would acknowledge simple existing math proof that 4 harmonic Slashdots rotate simultaneously around squared equator and cubed Internet, proving 4 Days, Not HOSTS file! That exists only as anti-side. This page you see - cannot exist without its anti-side existence, as +0- moderation. Add +0- as One = nothing.

    I will give $10,000.00 to frost pister who can disprove MyCleanPC. Evil crapflooders ignore this as a challenge would indict them.

    Alex Kowalski has no Truth to think with, they accept any crap they are told to think. You are enslaved by /etc/hosts, as if domesticated animal. A school or educator who does not teach students MyCleanPC Principle, is a death threat to youth, therefore stupid and evil - begetting stupid students. How can you trust stupid PR shills who lie to you? Can't lose the $10,000.00, they cowardly ignore me. Stupid professors threaten Nature and Interwebs with word lies.

    Humans fear to know natures simultaneous +4 Insightful +4 Informative +4 Funny +4 Underrated harmonic SLASHDOT creation for it debunks false trolls. Test Your HOSTS file. MyCleanPC cannot harm a File of Truth, but will delete fakes. Fake HOSTS files refuse test.

    I offer evil ass Slashdot trolls $10,000.00 to disprove MyCleanPC Creation Principle. Rob Malda and Cowboy Neal have banned MyCleanPC as "Forbidden Truth Knowledge" for they cannot allow it to become known to their students. You are stupid and evil about the Internet's top and bottom, front and back and it's 2 sides. Most everything created has these Cube like values.

    If Natalie Portman is not measurable, hot grits are Fictitious. Without MyCleanPC, HOSTS file is Fictitious. Anyone saying that Natalie and her Jewish father had something to do with my Internets, is a damn evil liar. IN addition to your best arsware not overtaking my work in terms of popularity, on that same site with same submission date no less, that I told Kathleen Malda how to correct her blatant, fundamental, HUGE errors in Coolmon ('uncoolmon') of not checking for performance counters being present when his program started!

    You can see my dilemma. What if this is merely a ruse by an APK impostor to try and get people to delete APK's messages, perhaps all over the web? I can't be a party to such an event! My involvement with APK began at a very late stage in the game. While APK has made a career of trolling popular online forums since at least the year 2000 (newsgroups and IRC channels before that)- my involvement with APK did not begin until early 2005 . OSY is one of the many forums that APK once frequented before the sane people there grew tired of his garbage and banned him. APK was banned from OSY back in 2001. 3.5 years after his banning he begins to send a variety of abusive emails to the operator of OSY, Federal Reserve Chairman Ben Bernanke threatening to sue him for libel,

  • by sl4shd0rk (755837) on Friday March 22, 2013 @11:26AM (#43246959)

    *sigh* "conflict between the web and the enterprise worlds." is another way of saying users complained when not given an option to aim at their foot.

  • host troll (Score:-1, Offtopic)

    by Dark$ide (732508) on Friday March 22, 2013 @11:27AM (#43246973) Journal
    Why does /. allow that troll to keep posting that shit? What happened to any form of moderation and control on here?
    • by thelovebus (264467) on Friday March 22, 2013 @11:35AM (#43247045)

      What are you talking about? The original submitter? Eran Hammer? The blog being linked to?

      I honestly don't know what you're referring to -- could you explain for those of us who are out of the loop?

      • by EvanED (569694) <evaned.gmail@com> on Friday March 22, 2013 @11:40AM (#43247101)

        I think it's a complaint about (and I hesitate to link to it) this post [slashdot.org] which keeps showing up story after story.

        • Last Post (Score:5, Funny)

          by History's Coming To (1059484) on Friday March 22, 2013 @11:51AM (#43247225) Journal
          That's it, I've had enough. It's easy enough to filter this kind of crap out, but /. just don't seem to bother. Yes, I could simply browse at a higher level, but I've usually got mod points and browse at -1 as suggested for very good reasons. But if /. aren't prepared to deal with the most basic levels of spamming then I can't be bothered helping them out any more. Email address deleted, password changed to a long random string that I don't know, sig changed to indicate account has been deleted. Bye everyone, most of the last decade or so has been fun, but frankly, I quit.
          • by Anonymous Coward on Friday March 22, 2013 @12:00PM (#43247333)

            That's it, I've had enough. It's easy enough to filter this kind of crap out, but /. just don't seem to bother. Yes, I could simply browse at a higher level, but I've usually got mod points and browse at -1 as suggested for very good reasons. But if /. aren't prepared to deal with the most basic levels of spamming then I can't be bothered helping them out any more. Email address deleted, password changed to a long random string that I don't know, sig changed to indicate account has been deleted. Bye everyone, most of the last decade or so has been fun, but frankly, I quit.

            Good to know. Weed out the thin-skinned people, I always say. People who don't actually understand how tricky a problem spam filtering really is, people who can't deal with the internet in general, people who feel the need to get on a soapbox and announce the significantly massive amounts of them not being around anymore everyone else is about to experience (ooo, how impressive and scary!). Sorry, who were you again and why do we care? I missed that part.

            • by noh8rz10 (2716597) on Friday March 22, 2013 @01:17PM (#43248309)
              i thought the whole point of slashdot posts is that it was a free-for-all, self-moderated through the mod point / threshold approach. they also limit posting from people with low karma (not filtering by post content, but just quieting the low karma people). also, you can block ACs while not changing your viewing threshold. There are many options!

              although personally I don't like the posting limits on low karma people. I think this encourages slashdot group-think, where if you speak up against whatever ideas are generally popular (android, google) or speak for unpopular peeps (MS, apple sometimes) you get downvoted and essentially shushed by low karma. This has frustrated me in the past.

              tldr, don't give up hope! make a new id, filter reasonably, and enjoy!
          • Re:Last Post (Score:0, Flamebait)

            by Anonymous Coward on Friday March 22, 2013 @12:15PM (#43247481)

            So basically what you're saying is that you've added yourself to the HOST file?

          • by Anonymous Coward on Friday March 22, 2013 @03:42PM (#43250413)

            Good riddens to you. Can't be bothered to browse at "0", throws a tantrum.

          • by Anonymous Coward on Friday March 22, 2013 @04:08PM (#43250799)

            You should add Slashdot to your HOST file to keep yourself from coming back.

    • by Anonymous Coward on Friday March 22, 2013 @11:37AM (#43247071)

      What are you talking about?

    • by Anonymous Coward on Friday March 22, 2013 @12:07PM (#43247399)

      His name is apk & he's been posting it for over 4 years. Here's one from 2009:

      http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org]

      He keeps adding new stuff on so it keeps growing longer and longer as the years pass.

  • Genius (Score:1, Offtopic)

    by Synerg1y (2169962) on Friday March 22, 2013 @11:37AM (#43247077)

    Step one: Make digital card game.
    Step two: Print cards and sell them.
    Step three: Profit more from WOW.

  • OAuth is ugly to implement, no argument there.

    Most of the points made in the article were interesting and seemed valid to me but near the conclusion it felt like the author was reaching bit by ignoring the refresh token concept to make the final point.

    The threat of a hacked browser was a bit of an eye opener for me -- never heard that one brought up as a possibility while working on an OAuth implementation for a client.

    • by kldavis4 (585510) <kldavis4.gmail@com> on Friday March 22, 2013 @11:49AM (#43247203)
      I agree about the hacked browser. I think one of the main arguments by Eran against OAuth2 is that it is basically broken for mobile applications (non-web) and this is just another of the ways it is broken.
    • by Anonymous Coward on Friday March 22, 2013 @11:56AM (#43247287)

      OAuth's whole point is to not type in your passwords and then this guys solution is to create a whole slew of new user/passwords to type in on 3rd party sites. This is just as susceptible to an embedded browser attack. In fact, Oauth is less susceptible because if you are using your browser you should already be authenticated if you are prompted for a log in, you should be suspicious that the log in is not happening in your real browser session.

      Yes some of his comments are valid but he offers no real alternative. His claims about APUI make him seem like he doesn't understand Oauth at all. Of course you need some user interaction to initially authorize the 3rd party service. But after that the 3rd party can use a refresh token to use the user granted API to process work in the background without any user interaction. I use this with Google APIs all the time.

    • If you have hacked the browser or machine you have an issue. For the browser there are a slew of API's dependent on OS that let there be separation so that a browser exploit is limited to allowing authentication while that browser remains open but never exposes the base digital certificates. Smart cards take that further by never exposing the private key to anybody.

      As to AUPI vs API oauth was never meant to be a end all and be all of authentication. Designing something to let arbitrary systems share data with fine grained arbitrary controls is a huge project that has not really been done well by anybody yet.

  • by antifoidulus (807088) on Friday March 22, 2013 @11:50AM (#43247215) Homepage Journal
    The authors biggest complaint about OAuth is that it doesn't do what it was never designed to do....and this is a problem because....? It was never designed for enterprise-level permissions management(there are plenty of other solutions for that). And his solution(copying and pasting tokens) is worse than the disease. It would be easier to go phishing with copied and pasted tokens than it is with OAuth where the login is automatic and tokens/applications can be revoked by the site that manages the account....

    I think someone is just bitter and decided to take it out on a protocol.
    • Re:WTF was that? (Score:4, Interesting)

      by Anonymous Coward on Friday March 22, 2013 @12:13PM (#43247465)

      I think the key point of the article is the first part, the "APUI" section. OAuth is "fine" when used for authentication by a user for a service based on a web browser. However, it is increasingly being applied at the "API" level (where services and applications interact, not users). It doesn't work _at all_ at this level.

      I agree that the enterprise level permissions bit is pushing things, but the rest of the article is spot on.

    • Re:WTF was that? (Score:3, Insightful)

      by Anonymous Coward on Friday March 22, 2013 @12:26PM (#43247613)

      The authors biggest complaint about OAuth is that it doesn't do what it was never designed to do....and this is a problem because....?

      Because people are, with great gusto, actually using it for what it was never designed to do.

  • by jeremylichtman (1717920) on Friday March 22, 2013 @11:56AM (#43247281) Homepage
    I've implemented sites that use a variety of third party authentication schemes. Its a nuisance for users (multiplicity of accounts, more insecure passwords to remember etc) and a nuisance for developers. Why are we still doing this? Authentication (and user profiles for that matter) belong in the user's browser. I'm not talking about Chrome's password wallet. I'm talking about a certificate-based system that allows the user to control from their end which sites are authenticated, and what data they should have access to. Sites would then implement a simple API (possibly combined with meta data on the front end to let the browser know details) that would allow for login, signing up, or changing particulars. The process could be made completely transparent for users. I have this partially implemented as an insecure proof of concept browser plugin. It wouldn't take too much work to get it running, although it really should be core browser functionality instead.
  • by Anonymous Coward on Friday March 22, 2013 @12:01PM (#43247341)

    I would call this neither "fresh" nor "objective".

    The author rehashes some well known issues with the OAuth protocol - I assume OAuth 2.0, though he really should make the distinction explicit, makes some contradictory complaints - "Waah, it's too flexible! Waah, it's not flexible enough!", and recommends some simpler "solutions" that conveniently don't address the problems he raises at all.

    OAuth 2.0 does not provide a plug-and-go interoperable protocol, and many people, including the original RFC editor Eran Hammer, regard that as a failure.
    On the other hand, it provides a framework you can pick-and-choose from to create a perfectly decent authorization API, and it will likely be more sound and familiar to developers than if you had just winged it and created your own.

    • by sjames (1099) on Friday March 22, 2013 @05:59PM (#43252137) Homepage

      So it's a metastandard? Standards compliance really should imply inter-operability. If two implementations of a standard can both be certified as compliant and yet cannot communicate, the standard needs to be tightened or clarified. If that is not desired or if inter-operation isn't a goal, then it may be something, but it is not a standard and should not call itself one.

  • by Anonymous Coward on Friday March 22, 2013 @12:52PM (#43247959)

    In 2013 the world still has a love affair with CHAP and assorted completely broke and useless authentication protocols. Any authentication protocol not cryptographically bound to the underlying transport is total crap yet at this very momement lots of people are hard at work inventing more useless crap.

    The more fundemental problem is web doods who think they know shit about anything are the ones working on these schemes... god forbid they ever have to move outside of their comfort zone and understand something they did not invent (TLS). Instead we get layers upon layers of insecure garbage only semantically different than the garbage that came before it.

    If you want external software to be able to identify you then use a goddamn client certificate
    You know that old shit that has been around for decades. The only thing untrusted software vendors have to do is make sure their not vulnerable to CSRF. Getting some central authentication database to hand out pk12 files is trivial (and probably more secure than oauth) .. then importing these file directly into the browser of your choice ususally takes a few seconds.

    With client certs there are no credentials for the "untrusted" entity to steal if they do this all they get is some assurance that you are who you say you are. The rest of it is unecessary scope creep. Untrusted entities interacting with other untrusted entities on your behalf is a receipe for untrusted disaster. Most of TFAs gripes are actually a failure to understand fundementals garbage in = garbage out not the fault of oauth for as crappy as oauth is.

  • by Anonymous Coward on Friday March 22, 2013 @03:06PM (#43249849)

    Dismissing mobile apps, and non-browser based apps....

    I never really understood what oAuth brought to the table that SAML 2.0 did not. I've done several SAML integrations (from the IdP side), and was impressed with the ability to build a 1 size fits all, at least on the enterprise level.

    Why the rush to oAuth and not SAML 2.0?

  • by Anonymous Coward on Friday March 22, 2013 @03:12PM (#43249951)

    Exchange 2013 has moved to OAuth for server to server communication, ie, to Sharepoint, Lync, etc. I'm trying to wrap my head around what this guy is saying and how that has anything to do with the OAuth that is employed by the new Office Servers Suite from MS. Because like it or loath it, most companies use Exchange nowadays.

  • by TwistedGreen (80055) <twistedgreen@g m a i l . com> on Friday March 22, 2013 @04:26PM (#43251075)
    Some guy's rant on Blogspot is news? I guess the "stuff that matters" tagline doesn't apply anymore...
  • by ChaseTec (447725) <chase@osdev.org> on Friday March 22, 2013 @05:04PM (#43251573) Homepage

    The author makes no distinction between OAuth 1.0a and OAuth 2.0. One of the spec leads did rage quit, not because of how bad OAuth is in general but because of all the "enterprise" help in version 2.0. Saying there is no standard is also dumb, yes version 2.0 can suffer from incompatible implementations but version 1.0 is pretty straight forward, the standard is right here: http://tools.ietf.org/html/rfc5849 [ietf.org]. The suggestion that we should just stick to HTTP Basic Authentication over SSL/TLS shows that the author doesn't get OAuth. The whole point it that apps shouldn't have your passwords to do what you ask them. Passwords are insecure and we shouldn't be giving them to every single application that wants them no matter how useful the app. We need delegation and permission revoking.

    • by Anonymous Coward on Friday March 22, 2013 @05:50PM (#43252049)

      The whole point it that apps shouldn't have your passwords to do what you ask them.

      This is why god created X509 certificates back in the days when basic encoding rules were hip when dinousars and man cohabitated the earth.

      Passwords are insecure and we shouldn't be giving them to every single application that wants them no matter how useful the app. We need delegation and permission revoking.

      I think this line of thought is part of the problem.

      Don't try for a complex horizontal solution instead punt concepts such as delegation and revocation to the application.

      To use the calendar analogy if I want to grant x y and z permission to a b and c users then I need to tell my calendar my wishes with calendar specific details it understands. Ditto if I later change my mind.

      It is hopeless to think you will be able to develop a solution to communicate these things in a common language that is not soo bloated nobody would be able to understand let alone implement it. This is about as productive as REST over HTTP in achiving any measure of horizontal reuse. The only reuse should be in the form of identifier specifications.

      The key to system to system interaction is orchestration. I don't for example ever tell my calendar to go do something else to another system on my behalf. Either myself or a trusted agent with a certificate signature to prove my trust in the agent handles all system to system interaction.

      Those people who see the need to grant system x to do 1, 2 and 3 to systems a b and c on my "behalf" have already failed. The resulting specification will simply be a reflection of that failure regardless of how smart the people writing it are.

    • by efalk (935211) on Friday March 22, 2013 @08:38PM (#43253585)

      Agreed.

      Can anybody explain what's wrong with just using Oauth 1?

  • by shirikodama (2670887) on Friday March 22, 2013 @05:13PM (#43251687)
    I brought this up with the oauth working group and got snarled at by lots of people including Eran Hammer. It's nice to see that other people are noticing the same problems. When you have a native app, you can show the user anything to get their confidence, and with some work get their credentials, including apps with webview's. OAuth's security model was not designed with native apps in mind, it was designed for ~trustable web browsers. This isn't surprising because OAuth was designed before the current fad for native apps happened around 2006-2007 when the world was all browsers all the time.
    • by DeFender1031 (1107097) on Saturday March 23, 2013 @11:30PM (#43261037)
      Exactly. And the people commenting that "you should never have a hacked browser" don't get that it's referring to native apps which embed a browser to mislead you rather than, say, a spyware-infested version of firefox. Of course you shouldn't have the latter, but for the former, anyone can make an app that imitates anything.
  • Watches (Score:-1, Offtopic)

    by Johnpurkey (2873907) on Saturday March 23, 2013 @05:26AM (#43255593)
    For More know About Watches coupon visit here.. ==>> http://slashdot.org/submission/2561893/stylish-watches [slashdot.org]
  • IMHO, the only legitimate points in this gentleman's post are: (1) a compromised browser defeats OAuth, and (2) OAuth isn't mobile-friendly because it requires browser interaction to gain user consent to grant access.

    While both of these are true, Web browsers are ubiquitous; OAuth is a Web standard. You can abuse it slightly to make it work with mobile devices (see "access code grant") but really, it not was intended to be a be-all end-all authorization mechanism.

    Likewise, claims that the protocol isn't "enterprise-friendly" are somewhat silly. OAuth was not intended for fine-grained authorization within an authentication or trust domain. It's for cross-domain (cross-application) grants, between unrelated apps, under the assumption that all three parties in the transaction are basically unrelated.

    If an executive wants to delegate calendar permissions to his secretary, he should *just do it* by clicking a checkbox on Microsoft Outlook or whatever product they use for scheduling, which no doubt has its own rich permissions system and obviously has its own authentication mechanism. There's no need for a Web standard to facilitate this use case!

    As for claims that "there is no standard" -- that's entirely true. There is a draft standard, which presumably will eventually be ratified by IETF once we have all had a chance to play with the technology and suggest improvements. Standards are not an item of worship; they're just a way to ensure that a protocol has had a reasonable degree of scrutiny, has no undisclosed patent encumbrances, etc. I've heard people accuse OAuth of being complex or flawed, but never fundametnally insecure.

    Frankly, anyone who thinks the OAuth draft RFC is complex, should choose a dozen or so documents from the SAML protocol suite, relax in a hot bath, and read through several hundred pages of THAT claptrap. Then we can talk about complexity.

    (Disclaimer: yes, I do read security standards in the bath, and I create toy implementations of security protocols and algorithms for fun. That probably makes me mentally ill.)

    • If people were only using OAuth for web-to-web communication, I don't think those issues would have been raised. But many of the big players have their "API"s based on it. Take a look at this thread [citrixonline.com] on citrix's development site for example. Here, there's a service which is hardly web-based, pretty much the only thing web-based about it is that you join meetings by browsing to a URL, and yet the only authentication model they provide for their "API" is OAuth. This is wrong. It's not what OAuth was designed for. And yet it's what's being used. If people would stick to its intended purpose when using it, there would be no problem, but this is hardly the case.
    • by manu0601 (2221348) on Saturday March 23, 2013 @09:30PM (#43260639)

      Frankly, anyone who thinks the OAuth draft RFC is complex, should choose a dozen or so documents from the SAML protocol suite, relax in a hot bath, and read through several hundred pages of THAT claptrap.

      Indeed the spec is huge, but it works extremely well. I must confess still do not understand why OAuth exists since we have SAML

  • by Anonymous Coward on Sunday March 31, 2013 @04:14AM (#43322905)

    The problem of storing Application Key & Secret on the device initiating the protocol is the same with OAuth1 or Oauth2. Eran Hammer rant ware not about this at all. It's an old issue that can't really be fixed today. Check this out http://arstechnica.com/security/2010/09/twitter-a-case-study-on-how-to-do-oauth-wrong/

"Maintain an awareness for contribution -- to your schedule, your project, our company." -- A Group of Employees

Working...