Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?) from Maciej Stachowiak on 2009-12-17 (public-webapps@w3.org from October to December 2009)

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 17 Dec 2009 10:08:53 -0800
To: Kenton Varda <kenton@google.com>
Cc: Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, Jonathan Rees <jar@creativecommons.org>, "Mark S. Miller" <erights@google.com>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
Message-id: <08E9892D-2AB5-4CEC-B806-19FC48D82C4C@apple.com>
On Dec 17, 2009, at 9:15 AM, Kenton Varda wrote:

>
>
> On Thu, Dec 17, 2009 at 2:21 AM, Maciej Stachowiak <mjs@apple.com>  
> wrote:
>
> I'm not saying that Alice should be restricted in who she shares the  
> feed with. Just that Bob's site should not be able to automatically  
> grant Charlie's site access to the feed without Alice explicitly  
> granting that permission. Many sites that use workarounds (e.g.  
> server-to-server communication combined with client-side form posts  
> and redirects) to share their data today would like grants to be to  
> another site, not to another site plus any third party site that the  
> second site chooses to share with.
>
> OK, I'm sure that this has been said before, because it is critical  
> to the capability argument:
>
> If Bob can access the data, and Bob can talk to Charlie *in any way  
> at all*, then it *is not possible* to prevent Bob from granting  
> access to Charlie, because Bob can always just serve as a proxy for  
> Charlie's requests.

Indeed, you can always act as a proxy and directly share the data  
rather than sharing the token. However, this is not the same as the  
ability to share the token anonymously. Here are a few important  
differences:

- As Ian mentioned, in the case of some kinds of resources, one of the  
service provider's goals may be to prevent abuse of their bandwidth.
- Service providers often like to know for the sake of record-keeping  
who is using their data, even if they have no interest in restricting  
it. Often, just creating an incentive to identify yourself and ask for  
separate authorization is enough, even if proxy workarounds are  
possible. The reason given below states such an incentive.
- Proxying to subvert CORS would only work while the user is logged  
into both the service provider and the actually authorized service  
consumer who is acting as a proxy, and only in the user's browser.  
This limits the window in which to get data. Meanwhile, a capability  
token sent anonymously could be used at any time, even when the user  
is not logged in. The ability to get snapshots of the user's data may  
not be seen to be as great a risk as ongoing on-demand access.


I will also add that users may want to revoke capabilities they grant.  
This is likely to be presented to the user as a whitelist of sites to  
which they granted access, whether the actual mechanism is modifying  
Origin checks, or mapping the site to a capability token and disabling  
it.

>
> What CORS does do is make it so that Bob (and Charlie, if he is  
> proxying through Bob) can only access the resource while Alice has  
> his site open in her browser.  The same can be achieved with UM by  
> generating a new URL for each visit, and revoking it as soon as  
> Alice browses away.

How would the service provider generate a new URL for each visit to  
Bob's site? How would the service provider even know whether it's Bob  
asking for an update, or whether the user is logged in? If the  
communication is via UM, the service provider has no way to know. If  
it's via a hidden form post, then you are just using forms to fake the  
effect of CORS. Note also that such elaborations increase complexity  
of the protocol. To enable permissions to be revoked in a granular  
way, you must vend different capability tokens per site. Given that,  
it seems only sensible to check that the token is actually being used  
by the party to which it was granted.

>
>
>> Perhaps, though, you're suggesting that users should be able to  
>> edit the whitelist that is applied to their data, in order to  
>> provide access to new sites?  But this seems cumbersome to me --  
>> both to the user, who needs to manage this whitelist, and to app  
>> developers, who can no longer delegate work to other hosts.
>
> An automated permission grant system that vends unguessable URLs  
> could just as easily manage the whitelist. It is true that app  
> developers could not unilaterally grant access to other origins, but  
> this is actually a desired property for many service providers.  
> Saying that this feature is "cumbersome" for the service consumer  
> does not lead the service provider to desire it any less.
>
> You're right, the same UI I want for hooking up capabilities could  
> also update the whitelist.  But I still don't see where this is  
> useful, given the above.
>
>
>> (Of course, if you want to know the origin for non-security reasons  
>> (e.g. to log usage for statistical purposes, or deal with  
>> compatibility issues) then you can have the origin voluntarily  
>> identify itself, just as browsers voluntarily identify themselves.)
>>
>> 2) It provides additional defense if the "unguessable" URL is  
>> guessed, either because of the many natural ways URLs tend to leak,  
>> or because of a mistake in the algorithm that generates unguessable  
>> URLs, or because either Site B or Site A unintentionally disclose  
>> it to a third party. By using an unguessable URL *and* checking  
>> Origin and Cookie, Site A would still have some protection in this  
>> case. An attacker would have to not only break the security of the  
>> secret token but would also need to manage a "confused deputy" type  
>> attack against Site B, which has legitimate access, thus greatly  
>> narrowing the scope of the vulnerability. You would need two  
>> separate vulnerabilities, and an attacker with the opportunity to  
>> exploit both, in order to be vulnerable to unauthorized access.
>>
>> Given the right UI, a capability URL should be no more leak-prone  
>> than a cookie.  Sure, we don't want users to ever actually see  
>> capability URLs since they might then choose to copy/paste them  
>> into who knows where, but it's quite possible to hide the details  
>> behind the scenes, just like we hide cookie data.
>
> Hiding capability URLs completely from the user would require some  
> mechanism that has not yet been proposed in a concrete form. So far  
> the ways to vend the URL to the service consumer that have been  
> proposed include user copy/paste, and cross-site form submission  
> with redirects, both of which expose the URL. However, accidental  
> disclosure by the user is not the only risk.
>
>> So, I don't think this "additional defense" is really worth much,  
>> unless you are arguing that cookies are insecure for the same  
>> reasons.
>
> Sites do, on occasion, make mistakes in the algorithms for  
> generating session cookies. Or for that matter for CSRF-prevention  
> secret tokens. Cookies have some protections that explicit secret  
> tokens do not. First, there is no need to ever embed them in a page.  
> This means they are not prone to be revealed to attacks that can  
> observe the page content but not intercept network traffic or inject  
> script. CSS injection is an example of such an attack vector. Secret  
> tokens are often embedded via <input type="hidden"> or in URI- 
> containing attributes on elements in the DOM.
>
> Second, Cookies can further be as HttpOnly, which makes them  
> invisible to script, in such cases even a full XSS exploit cannot  
> steal the cookie (short of some additional exploit to get the victim  
> server to reflect it back).
>
> Finally, session cookies can be transparently reissued as often the  
> origin server cares to, thus limiting the time window for a  
> potential attack based on stealing them.
>
> Now, similar protections could be provided for capability tokens.  
> It's hard to evaluate that kind of idea in the abstract, without a  
> concrete proposal. But I have a hard time seeing how to do it other  
> than by the browser adding tokens to requests passively, and  
> collecting them from the service provider passively. However, that  
> would create a form of ambient authority and thus presumably would  
> miss the point.
>
> Sites also have a stronger incentive to protect their own cookies  
> (to defend their own resources) than they do to protect capability  
> tokens received from a third party (which merely protect some third  
> party's resource).
>
> I agree you have valid points here, but they are implementation  
> issues that are fundamentally solvable with some engineering.  I  
> would not allow secret tokens to appear in page content, but instead  
> always fetch them using XHR or some such, so sniffing them would  
> require scripting.  I could even imagine engineering a way to send  
> the tokens in HTTP headers such that scripts cannot actually read  
> the values.

Before they become implementation issues, they are design issues. No  
one has yet proposed an actual design that would give the same level  
of protection to tokens as we have for cookies. If we had such a  
design on the table we could evaluate its merits. There's not much we  
can do with just a claim that it's possible. For reasons stated above,  
it's not obvious to me that it actually is possible without creating a  
new form of ambient authority.

Note that not allowing tokens to appear in page content (I'm not  
really sure how this could be enforced) would make them unusable for  
use case like XBL or extended access to cross-site <img> or <video>,  
since in such cases a URL in the page content is the only way to make  
the request.

> Servers can re-issue cookies, but they can revoke and re-issue  
> capabilities too with the right design, so I don't think that's a  
> real benefit.

Updating cookies is much easier though - the server can do it on every  
page load. In any case, my goal was not to compare the relative merits  
of cookies and capability tokens.

My goal was merely to argue that adding an origin/cookie check to a  
secret-token-based mechanism adds meaningful defense in depth,  
compared to just using any of the proposed protocols over UM. I  
believe my argument holds. If the secret token scheme has any weakness  
whatsoever, whether in generation of the tokens, or in accidental  
disclosure by the user or the service consumer, origin checks provide  
an orthogonal defense that must be breached separately. This greatly  
reduces the attack surface. While this may not provide any additional  
security in theory, where we can assume the shared secret is generated  
and managed correctly, it does provide additional security in the real  
world, where people make mistakes.

Regards,
Maciej
Received on Thursday, 17 December 2009 18:09:59 UTC