[cap-talk] Confused Deputy gets a new name in Web 2.0 lingo

Tyler Close tyler.close at gmail.com
Tue Oct 17 01:28:14 CDT 2006 

On 10/16/06, Ka-Ping Yee <cap-talk at zesty.ca> wrote:
> On Mon, 16 Oct 2006, Tyler Close wrote:
> > The Confused Deputy attack occurs because authorizations are not
> > reified, but are instead inferred based on the identity of the
> > requestor. So I don't understand what you mean about seeing the cookie
> > as being an authorization in a Confused Deputy attack.
>
> It isn't, in my opinion.  That's why i wrote what i did.  Your position
> is the one that seems to interpret the cookie as an authorization.
>
> In a confused deputy situation, the deputy inadvertently abuses authority.
> Is it the browser or the bank that is making the decision to exercise
> the authority?  I say the bank.  If you prefer to say the browser, you
> can, it just means that you have chosen to see the browser as conveying
> an authorization to the bank.

By that characterization all attacks would be defined as Confused
Deputy attacks, since in all attacks, authority is abused by some
actor. I think the term "Confused Deputy" is necessarily more narrowly
defined than you would seem to have it.

The "Confused Deputy" is a composite identity composed of the victim's
identity and the attacker's identity. The deputy is unable to express
on whose behalf particular parts of the current request are to be
done. The attacker exploits this ambiguity by crafting a request that
will result in the victim's authority being applied to an object named
by the attacker.

I don't see how it can be argued that the bank website is a composite
identity composed of the victim's identity and the attack website
identity.

On the other hand, the web browser has been endowed with the user's
bank credentials, as well as any credentials provided by the attack
website, and has been tasked with dispatching requests from this
composite identity. In the attack, the browser is unable to express
the fact that the bank account identifier (the FORM action URL) must
be associated with the attacker's identity, not the user's.

The bank account example is directly analogous to Norm's prototypical
Confused Deputy attack, in which the compiler is unable to express to
the filesystem that the output filename must be associated with the
attacker's identity, not the compiler owner's identity. The compiler
is like the web browser and the output filename is like the FORM
action URL.

This disagreement makes me think that it's not such a bad thing that
"Confused Deputy" is getting a new name. "Confused Deputy" is a really
bad name for the attack. The attack has got nothing to do with
confusion and the attack arises because the actor issuing the request
is not in fact a pure "deputy" (an agent operating as a representative
of another), but is an agent operating on behalf of multiple distinct
masters. The "Confused Deputy" attack is subtle and requires careful
thought. Perhaps the name is starting people out on the wrong foot.

Tyler

-- 
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/

Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/

More information about the cap-talk mailing list