Replay attacks vs man in the middle

Sam Ruby rubys at
Fri May 20 10:39:36 PDT 2005

Brad Fitzpatrick wrote:
> Regarding nonce vs. timestamp and why it doesn't matter:
> The man-in-the-middle this is preventing is an identity server in the
> middle, posing as a browser to the real identity server.  When I first got
> into this and went through several schemes, it quickly became apparent
> that almost anything a browser could do, an identity-server-in-the-middle
> could appear to do too.  The only differences were that:
>  -- a real browser knew the identity server's cookies
>  -- a real browser would follow redirects faithfully
> Hence the TypeKey-like redirect.  If somebody can sniff your traffic and
> get the DSA signature in the redirect from identity site to consumer, wow!
> They know you're you!  They already knew that from sniffing the rest of
> your cookies and LJ traffic.
> If a pair of sites cares about that, they both use SSL.
> The DSA signature with timestamp is there so consumers who DO care about
> freshness can use the timestamp to make sure a signature was issued only
> in the past $n minutes.  And because the signature as a whole was signed
> using a random number, the entire signature itself is a nonce, so the
> consumer site can prevent replay attacks by just not accepting that digest
> ever again.
> That said, am I still missing something?

This conversation would go faster if there was a prototype server I 
could review.  But just looking at the traffic flows from the 
perspective of your server, it looks to me that there is a problem.

Here's how I see it.  You send down an initial form.  That form contains 
information that indicates that you would *like* it to actually respond 
to a request to go to the ID server.  If such a request is received, you 
will serve up a page which indicates that you would *like* this to 
redirect to the return_to_URL.  At which point, you *hope* that the 
server at the return_to_URL has some say, and ultimately produces a 
signature that is sent back to you.

Now, realize that I have GreaseMonkey, and all those likes and hopes I 
am free to treat as mere hints.

In fact, the easiest thing I could do is to let the system go through 
the motions.  I initiate a post to your website saying that I am Fred. 
Fred's server serves up a page which asks me to authenticate.  I, of 
course, fail, but instead of the IFrame passing back up this little bit 
of information, I pass up a different response instead.  Remember, I 
have Greasemonkey.  This browser does what *I* want it to do.

 From your perspective, you served up a comment form.  You initiated a 
redirect to Fred's machine.  You get back a response that says "Fred 
says it was OK".  What's not to like?

At this point, let me stop here.  If I am wrong, I don't need to go any 
further.  But if I am right, I can sketch out a simple solution that 
solves this problem.

- Sam Ruby

More information about the yadis mailing list