Cookies are Bad for You
Improving Security on the Web
2-legged OAuth
GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer vF9dft4qmTGET /resource HTTP/1.1
Host: server.example.com
Cookie: name=value; name2=value2POST /request HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Authorization: MAC id="jd93dh9dh39D",
nonce="273156:di3hvdf8",
bodyhash="k9kbtCIy0CkI3/FEfpS/oIDjk6k=",
mac="W7bdMZbv9UWOTadASIQHagZyirA="
hello=world%21
HMAC
msg = nonce + method + URL + HASH(body)
opad = 0x5c5c5c...5c5c
ipad = 0x363636...3636
HMAC(key, msg) = HASH((key^opad) + HASH(key^ipad) + msg)HMAC SHA-1 performance
| short message | ~30k message | |
|---|---|---|
| Android | 3 ms | 286 ms |
| iPhone | 1 ms | 100 ms |
| iPad | 1 ms | 91 ms |
| Firefox | 0.1 ms | 8 ms |
| Chrome | 0.09 ms | 7 ms |
| IE 8.0 | 3 ms | >1000 ms |
| IE 9.0 | 0.2 ms | 20 ms |
| http://jsperf.com/hmac-of-short-message-using-sha-1-and-sha-256/2 | ||
HMAC SHA-256 performance
| short message | ~30k message | |
|---|---|---|
| Android | 8 ms | 500 ms |
| iPhone | 4 ms | 250 ms |
| iPad | 3 ms | 273 ms |
| Firefox | 0.3 ms | 15 ms |
| Chrome | 0.3 ms | 22 ms |
| IE 8.0 | 8 ms | >1000 ms |
| IE 9.0 | 0.6 ms | 63 ms |
| http://jsperf.com/hmac-of-short-message-using-sha-1-and-sha-256/2 | ||
storing an access token
- in memory
- sessionStorage
- localStorage
- indexedDB
- secure cookie
- user data (IE)
- flash storage
Image Credits
- OAuth logo by Chris Messina, Creative Commons Attribution-Share Alike 3.0 Unported
- other images from the Open Clip Art Library, public domain
References
The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-16 http://tools.ietf.org/html/draft-ietf-oauth-v2-16
The OAuth 2.0 Protocol: Bearer Tokens draft-ietf-oauth-v2-bearer-04 http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04
HTTP Authentication: MAC Access Authentication draft-ietf-oauth-v2-http-mac-00 http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00