Attacker Model - Browsers and Endpoints
From an email from Nat:
Currently, the attacker model states:
- Browsers and Endpoints: Devices and browsers used by resource owners are considered not compromised. Other endpoints not controlled by an attacker behave according to the protocol.
This kind of deviates from the assumption for FAPI 1.0. We wanted to sign the requests and responses because the TLS breaks in the browser and can be tampered with. Is this captured elsewhere in the attacker model?
Comments (8)
-
reporter -
I think the issue was not browsers being corrupted, but middle-boxes like TLS terminating proxies. If a browser is compromised, attackers can probably do nastier stuff.
Yes, the distinction between interception and tampering is a bit artificial. There are real-life scenarios, however, where an attacker can read auth requests and responses but not intercept or tamper with them: Reading the messages from system log files, browser history, or similar sources.
-
- changed status to open
-
I see, so it is captured in A2 - Network attacker. Correct?
-
No, one of the more “specialized” attacker types like A3b, A5 or A7.
-
Todo for me: Discuss why we don’t have write on authorization request and response.
-
-
reporter - changed status to resolved
PR merged to improve description
- Log in to comment
From memory I think the discussion was that interception is the same as tampering, as if an attacker can read a message, the attacker can craft a new message which contains a tampered version of the read message. In. A3A and A3B we assume that the attacker can read auth requests and responses, which essentially means they can tamper. I will see if I can find previous discussion on this, but it would be good to hear from @Daniel Fett on this.