New rev of Strict Transport Security (STS) Specification
December 23rd, 2009Details are over here..
=JeffH sez check it out 
Browser Security Handbook
December 14th, 2009The Browser Security Handbook, brought to us by Michal Zalewski (of Google) is a quite useful document (droll understatement). It documents various security facets of the leading web browsers and provides succinct tabular comparisons of behaviors. It is available here..
Browser Security Handbook (BSH)
http://code.google.com/p/browsersec/wiki/Main
Michal has also created various test scripts and their source code is available from this page:
The BSH is created and maintained on the Google Code wiki, and thus isn’t available if you’re offline (like on a plane). The wiki doesn’t provide for a clean download with link fixups and all, so I turned to wget and use the below command to cache a local copy (I’m on Ubuntu GNU/Linux)..
wget -E -H -p --convert-links -nH -nd -N -P/PATH/TO/WHERE/YOU/WANT/IT/TO/LOCALLY/LIVE http://code.google.com/p/browsersec/wiki/Main http://code.google.com/p/browsersec/wiki/Part1 http://code.google.com/p/browsersec/wiki/Part2 http://code.google.com/p/browsersec/wiki/Part3
I alias the above gnarly command line to the simple “getbrowsersec” command name (via my .cshrc file), and so whenever I’m online and want to ensure I’ve got the latest revision, I just type “getbrowsersec” and I’m all set. If you live in the Windows world, I’m not sure how you’d do the above natively. I’d install Cygwin, and then one has wget, and can just use the above command.
Strict Transport Security specification
September 19th, 2009I can’t do a detailed post right now, pointing to announcement message and the spec itself will have to do. This is what I’ve been working on since joining PayPal…
fyi: Strict Transport Security specification
http://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1148.html
draft-hodges-strict-transport-sec-05.plain.html
http://lists.w3.org/Archives/Public/www-archive/2009Sep/0051.html
This specification embodies and refines the approach proposed in..
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks
https://crypto.stanford.edu/forcehttps/forcehttps.pdf
=JeffH sez check it out!
Change of Affiliation: =JeffH -> PayPal InfoSec Team
September 19th, 2009Ok, my apologies for latency, this is somewhat old news, but I haven’t as yet “announced” it: I landed at PayPal, in the Information Risk Management organization under Michael Barrett (”InfoSec Team” for short), back in March.
I’m very excited to be working at one of the premier web-based organizations and also directly in the security end of things. I now get to be involved in the adoption and deployment of the various online identity and security technologies I’ve been contributing to for many years, as well as contribute to carrying them forward, and also learn some new things.
The latter has been a fair bit of work and steep learning curve as it has involved “web (in)security”, which is a vast swamp involving XSS, CSRF, response-splitting, clickjacking, etc. (hence my crawling into a cave the last several months). And not least, I’ve been very much enjoying meeting and working with key folks involved in web security and browser implementation.
And so with the public announcement of the first web security specification that I’ve contributed to (see next post), it seemed I ought to really pop this frame to the top of the stack and get it out there 8^).
Towards Kerberizing Web Identity and Services
February 4th, 2009Some colleagues (Josh Howlett, Leif Johansson, RL “Bob” Morgan) and I had the good fortune to help the MIT Kerberos Consortium (MITKC) with some analysis and strategy planning for the (broad) topic of “Kerberos and the Web”, during this last Fall 2008. The main deliverables of this project are this document..
Towards Kerberizing Web Identity and Services
http://kerberos.org/software/kerbweb.pdf
..and this presentation..
Kerberos for the Web: Current State and Leverage Points
http://kerberos.org/events/Board-11-3-08/4-KerberosandWeb.pdf
..given at the MITKC’s Financial Services Security Summit and MIT Kerberos Consortium Executive Advisory Board Meeting last Fall.
Of course, these documents may not make much sense if one doesn’t know what Kerberos is, so if that’s the case, this brief tutorial ought to be helpful, as well as the Kerberos entry on Wikipedia. Additionally, the MITKC has published a series of Kerberos whitepapers outlining Kerberos’ role(s) in the Big Picture of information systems in general, as well as various best practices.
That said, the MITKC’s announcement of the document provides overall rationale for their Kerberos-on-the-Web project. They have also established a new public mailing list for technical discussions on this topic.
Additionally, here’s the salient portions of the paper’s abstract..
Today authentication and authorization are addressed in an incoherent, and often site-specific, fashion on the Internet and the Web specifically. This situation stems from many factors including the evolution, design, implementation, and deployment history of HTTP and HTTP-based systems in particular, and Internet protocols in general.
Kerberos is a widely-implemented and widely-deployed authentication substrate with a long history in various communities and vendor products. Organizations that currently use Kerberos as a key element of their infrastructure wish to take advantage of its unique benefits while moving to Web-based systems, but have had limited success in doing so. …
In this paper we outline the evolution of Web Identity and Services and describe the issues surrounding this complex landscape. These issues are captured within a set of more specific requirements that are deemed necessary to satisfy the relevant stakeholders; these requirements are then framed within the context of some general use cases. We then propose and describe a number of activities that leverage Kerberos to realize these improvements, and present an overall strategy and architectural model for working towards a more cohesive and widely deployed Kerberos-based Web authentication infrastructure.
Casual readers may find the section entitled A Short History of Web Identity and Services interesting, while those desiring the gory details as well as the identified opportunities will benefit from reading the entire paper. Here’s the overall summary illustration..
Summary of opportunities for Kerberos and the Web Architecture
In concluding, we recommend that in conjunction with developing an overall strategy and architecture with stakeholders, that the MITKC ought to initiate at least these activities..
- Specify the use of Kerberos with TLS
- SAML-in-Kerberos: Extend Kerberos to permit the inclusion of a SAML assertion in KDC issued authorization data
- Kerberos-in-SAML: SAML profile supporting the generation of SAML assertions containing Kerberos tickets
- Update WS-Security Kerberos Token Profile specification
- Leverage SAML metadata to enable large-scale Kerberos cross-realm communities”), and
- Investigate, document and promote existing methods of using Kerberos to authenticate against a SAML identity provider
Discussion of this paper and the MITKC’s overall Kerberos-and-the-Web project occurs on the (new) mitkc-web@mit.edu mailing list. Feel free to subscribe and join in.
New rev of SIP-SAML profile
November 4th, 2008There’s a new revision of the SIP-SAML profile spec..
SIP SAML Profile and Binding
http://www.ietf.org/internet-drafts/draft-ietf-sip-saml-05.txt
The key changes in this revision are that we’re aiming for experimental track (for now) due to a subtle-but-important impedance mismatch with the “SIP Identity” spec (RFC 4474, which we build upon), and we’ve add an additional profile to the spec. This new profile simply specifies SAML assertion conveyance “by value” in the body of SIP message(s) rather than “by reference”.
Note that the overall notion of “SIP Identity” has been in-flux over the last year+. Once that set of issues is (hopefully) resolved, then we can do another SIP-SAML spec on the standards track.
Also, the SIP WG co-chairs have called for Working Group Last Call on this -05 revision.
=JeffH sez getcher comments in!
OAuth Protocol Flow Diagrams
October 22nd, 2008I found the existing protocol flow diagram in the current OAuth spec..
OAuth Core 1.0
http://oauth.net/core/1.0/
..somewhat hard to follow. So I concocted three separate new ones using the so-called “swimlane” technique that I’m used to.
I posted these to the OAuth list a while back, and a few folks reposted them to their blogs, but no one has yet piped up to say I got anything wrong. But YMMV, there might be bugs in here.
FWIW, I’ve posted them below in case others find them useful. Also, I have them in a single file..
http://identitymeme.org/doc/draft-hodges-oauth-05-figures.txt
..also featuring OpenID and SAML Web Browser SSO Profile diagrams for comparison purposes. Note that in all things protocol, definitions of terms are essential in order to be able to effectively communicate and reason about protocols, so I’ve included key definitions from the OAuth spec in the file.
NOTE: fixed-pitch font required for viewing. Also, wordpress is obviously messing up the diagrams below, and they consequently look sorta lame, here on the blog. This site presently uses an old wordpress install, maybe this will help motivate me to upgrade it. In the meantime, check out the file linked-to above for the best viewing experience 
Fig 1: out-of-band consumer setup/config
photos.example.net
+----------+
| |
| OAuth |
| service |
printer.example.com | provider |
+---------+ | |
|developer| | Sys |
| of | | Admin |
| OAuth | | |
|consumer | | |
| | | [SP] |
+----+----+ +----+-----+
| |
| obtain Consumer Key |
| and Consumer Secret |
| [details unspec'd, |
| performed out-of- |
| band.] |
|--------------------->|
|< ---------------------|
| |
| |
Fig 2: “Web-based consumer”
The "consumer" is a website or other application that accesses
the Service Provider on behalf of the wielder (user) of the user agent
(UA is typically a browser, but could be some other app).
Steps 1.n. "Obtain Unauthorized Request Token"
2.n. "User Authorizes Request Token"
3.n. "Exchange Request Token for Access token"
4.n. UA accessing protected resources at SP
photos.example.net
+----------+
| |
| OAuth |
printer.example.com | Service |
+--------+ | Provider |
| | | |
| OAuth | |[protected|
|Consumer| |resources]|
+----+ | | | |
| UA | | [RP] | | [SP] |
+-+--+ +---+----+ +----+-----+
| | |
| 1.0. User Agent inter-| |
| acts with Consumer | |
| site [optional] | |
|< --------------------->| |
| | |
| | |
| | |
| 1.1. UA informs/directs |
| Consumer to do something |
| with a resource (e.g. | |
| a photo) at SP | |
|---------------------->| |
| | |
| | |
| | |
| | 1.2. Consumer attempts
| | accessing photo at SP|
| |--------------------->|
| | |
| | |
| | 1.3. SP replies with |
| | a HTTP 401 containing|
| | a "OAuth" www-authn |
| | header field |
| |< ---------------------|
| | |
| | |
| | 1.4. Consumer replies|
| | with a request for |
| | "unauthorized Request|
| | Token" (uRT) via POST|
| | to SP's "request token
| | URL" |
| |--------------------->|
| | |
| | |
| | 1.5. SP issues uRT & |
| | token secret to |
| | Consumer. |
| |< ---------------------|
| | |
| | |
| | |
| 2.0. Consumer redirects |
| UA to SP "User Author-| |
| ization URL" including| |
| the uRT. | |
+<- - - - - - - - - - - - | |
. | (indirected via UA) | |
. | | |
+-------------------------+--------------------->|
| | |
| | |
| | |
| | |
| 2.2. User authenticates with the Service |
| Provider (optional, methods vary, realization|
| is out of scope) |
|< ============================================>|
| 2.3. User grants or declines permission |
| for the Service Provider allow Consumer |
| access to the resource (e.g. photo). |
| | |
| | |
| | |
| | |
| 2.4. If permision granted, UA redirected back|
| to Consumer's "Callback URL", conveying the |
| uRT. | |
+< - - - - - - - - - - - - - - - - - - - - - - - -|
. | (indirected via UA) | |
. | | |
. | | |
+------------------------>| |
| | |
| | |
| |3.0. Consumer requests|
| |Access token, supplies|
| |uRT. |
| |--------------------->|
| | |
| | |
| | |
| |3.1. SP grants Access |
| | Token. |
| |< ---------------------|
| | |
| | |
| |4.x. Consumer uses the|
| |Access Token, Access |
| |Token Secret, Consumer|
| |Key, and Consumer Secret
| |to make authenticated |
| |request(s) to the Service
| |Provider. |
| |=====================>|
| | . |
| | . |
| | . |
| | |
Fig 3: “desktop-based consumer”
this is case where user is wielding some app that is both a UA and a Consumer.
+----------+
| |
| OAuth |
| service |
+--------+ | provider |
| | | |
|Desktop-| |[protected|
|based | |resources]|
|Consumer| | |
| | | |
| UA | | [SP] |
+-+------+ +----+-----+
| |
| 1. Consumer requests "unauthorized Request |
| Token (uRT)" with POST to SP's "request token"
| URL. |
|--------------------------------------------->|
| |
| |
| 1.1. SP issues uRT and Token Secret to |
| consumer. |
|< ---------------------------------------------|
| |
| |
| |
| 1.2. User authenticates with the Service |
| Provider (optional, methods vary, realization|
| is out of scope) |
|<============================================>|
| 3. User grants or declines permission |
| for the Service Provider to issue Access |
| Token. |
| |
| |
| |
| |
| 4. Service Provider authorizes the uRT to be |
| exchanged for an Access Token and secret. |
|< ---------------------------------------------|
| |
| |
| |
| 5. Consumer exchanges the uRT and secret |
| for an Access Token and Secret. |
|--------------------------------------------->|
|< ---------------------------------------------|
| |
| |
| |
| 6. Consumer uses the Access Token, Access |
| Secret, Consumer Key, and Consumer Secret |
| to make authenticated request(s) to the Service
| Provider |
|<============================================>|
| . |
| . |
| . |
| . |
| . |
| . |
| |
Stats – A Cool Last.fm Group
March 10th, 2008I just ran across this group at Last.fm..
..it’s denizens post articles about and pointers to cool little gizmos/widgets/whathaveyous that one can use to leverage Last.fm data.
I ran across it via this person’s profile..
..he has a personal website where he offers..
Data mining musical profiles
Anthony Liekens, March, 28-April, 2 2007
..that article, and a web interface to his various tools.
.
=JeffH sez check it out
[update] ps: note that sites such as last.fm have relevance to the more general notion of identity in that publishing the music one listens to is an aspect of one’s identity.
I Done Left Los Windows…
January 30th, 2008I’m blogging about my personal computing environment over on my “personal” blog, and just posted a note about my recent migration from MS Windows XP to (K)ubuntu GNU/Linux. Here’s a pointer to it..
I Done Left Los Windows…
http://kingsmountain.com/blog/archives/2008/01/30/i-done-left-los-windows/
Will “open internet” IDM Migrate Towards “trust circles” ?
January 21st, 2008Eve (aka xmlgrrl) posted the following bit of musing today..
Circles of trust: disaster? or really bad idea?
http://www.xmlgrrl.com/blog/archives/2008/01/21/circles-of-trust-disaster-or-really-bad-idea/
..which I tend to think hits the proverbial nail pretty squarely on the head wrt “open internet”, “trust all comers”, and “trust circles”.
One very small, detail-level comment I have on her post is that where she writes..
(where users are okay with this sort of back-channel communication)
..I would instead make it explicitly clear that “users” sometimes don’t have any direct say with respect to the machinations of the IT department on their behalf. Hence I would write it as..
(where users are okay with this sort of back-channel communication, or where they don’t have any say (e.g. in an enterprise deployment))
Note I don’t feel that the latter is necessarily a good thing, but it’s reality in corporate, governmental, and education worlds (at least), and no amount of attesting that “I want to own my identity data!” is going to change it any time soon (admittedly unfortunately). Besides one’s identity, outside of one’s own thoughts, “..is a story“, as Bob Blakley noted a while back, but has been understood for quite a while by social scientists and philosophers (see, for example, Erving Goffman).
But I digress…