JWTs Suck

Transcript

1. JWTs Suck (for web auth and basically everything else) @rdegges

   @oktadev

2. Randall Degges Chief Hacker @ Okta Python / Node /

   Go

3. What are JWTs? - JSON data - Cryptographically signed -

   Not encrypted - Not special

4. What’s a Cryptographic Signature? Randall Degges Dear Sir/Madam, The great

   king of Los Angeles recently died and left his entire fortune to you, his distant cousin. To claim $10 million dollars he left you, I'll need your bank account information... That's a signature!

5. What Do JWTs Actually Do? Prove that some JSON data

   can be trusted.

6. How Do People Typically Use JWTs? As identity proof

7. How JWTs are Most Commonly Used ➔ User sends credentials

   to website to login ➔ Website validates credentials, generates JWT ➔ Website sends response to browser containing JWT ➔ Browser then stores JWT in localStorage ➔ Browser pulls JWT out of localStorage and sends it to website for subsequent requests

8. What happens when you Google JWTs? JWTs are amazing! JWTs

   are awesome! We <3 JWTs! You're a n00b if you don't use JWTs!

9. Everyone is wrong.

10. None

11. Everyone has forgotten how amazing session cookies actually are.

12. Let’s define some terms...

13. Term: Stateless JWT Definition: A JWT that is entirely self-contained,

    and holds all user information necessary to complete a transaction within it. EG: userName, firstName, lastName, email, etc…

14. website Let me see this page! Validates token… OK! It

    looks like your name is Randall Degges, and your email is [email protected] OK Randall, here’s the web page you requested.

15. Term: Stateful JWT Definition: A JWT that only contains a

    session ID. All user data is stored server-side and retrieved from a database.

16. website Let me see this page! Validates token… OK! Your

    session ID is 12345. It looks like your name is Randall Degges, and your email is [email protected] OK Randall, here’s the web page you requested. db Who is the user with session ID 12345? Session ID 12345 is Randall Degges. Here you go.

17. Term: Session Cookie Definition: A cryptographically signed session identifier stored

    in a cookie. All user data is stored server-side and retrieved from a database.

18. website Let me see this page! Your session ID is

    12345. Your signature looks good! It looks like your name is Randall Degges, and your email is [email protected] OK Randall, here’s the web page you requested. db Who is the user with session ID 12345? Session ID 12345 is Randall Degges. Here you go.

19. BONUS: What’s the difference between a Session Cookie and a

    Stateful JWT? - They’re both cryptographically signed - They both contain a session identifier (12345) - One uses the JWT format (JSON) and one is just a simple string ¯\_(ツ)_/¯

20. Term: Cookies Definition: An HTTP header field that allows you

    to store or retrieve key/value data, set data expiration times, and apply various other data integrity rules. Caps out at ~4k.

21. body { "Set-Cookie": "session=signed(12345)" } Creating Cookies Set-Cookie: a=b; c=d;

    e=f website Log me in!

22. NOTE: Required Cookie Flags Set-Cookie: a=b; HttpOnly; SameSite=strict; secure; No

    nasty cross-origin cookie sharing! SSL only!

23. body { "Cookie": "session=signed(12345)" } Reading Cookies website Show me

    a page! I see your cookie header and have parsed it! I know who you are!

24. Term: Local Storage Definition: A Javascript API that allows a

    user to store data in a browser that is accessible only via Javascript. Also known as “session storage”. Widely considered to be an alternative to using cookies to store session data.

25. Myths about JWTs

26. JWTs are Easier to Use JWTs: • First spec draft:

    Dec 27, 2012 • Began gaining adoption / marketing: mid 2014 • Requires additional tools, libraries, and knowledge to function (developer effort required) Session Cookies: • Every web framework since 1990s • Requires 0 effort to use

27. Score JWTs Session Cookies 0 1

28. JWTs are More Flexible Session Cookies { “sessionId”: “12345”, “email”:

    “[email protected]”, “firstName”: “Randall”, “lastName”: “Degges” } sessionId=12345; [email protected]; firstName=Randall; lastName=Degges JWTs

29. JWTs are More Flexible { “userId”: “12345”, “email”: “[email protected]”, “firstName”:

    “Randall”, “lastName”: “Degges”, “iat”: “123456789”, “exp”: “987654321” } userId=12345; [email protected]; firstName=Randall; lastName=Degges; Expires=xxxx; Session Cookies JWTs

30. Score 0 2 JWTs Session Cookies

31. JWTs are More Secure Good: • Cryptographically signed • Can

    be encrypted (JWE) Bad: • Complex spec / crypto :( • Multiple vulnerabilities found in last three years • Vastly different support in libraries Good: • Cryptographically signed • Can be encrypted • Been around since ~1994 • Well vetted, battle tested • 0 complexity in the spec • No vulnerabilities in like… forever • Identical library support everywhere Session Cookies JWTs

32. Score 0 3 JWTs Session Cookies

33. JWTs Prevent CSRF

34. DETOUR! What is CSRF? bank.com Checking my accounts.... bank.com/transfer Hey!

    Check out this picture of my dog! OK! Transfer received! Sending 1 million dollars to [email protected]! - amount ($$) - to (email) <img src="bank.com/transfer?amount=1 000000&to=jerk%40gmail.com">

35. JWTs Prevent CSRF Cookies • You are still susceptible to

    CSRF Local Storage • You are safe from CSRF, but have opened yourself up to a much greater attack vector… XSS

36. CSRF is trivial to fix. XSS… Not so much.

37. Bad News

38. But… I just won’t use third party JS on my

    site… So I can still be secure!

39. “… In other words, any authentication your application requires can

    be bypassed by a user with local privileges to the machine on which the data is stored. Therefore, it's recommended not to store any sensitive information in local storage.” - OWASP (Open Web Application Security Project)

40. Score 0 4 JWTs Session Cookies

41. JWTs Are Better for Cross Domain www. Log me in!

    Well, I don’t do login. Redirecting... login. Here’s the login page. Log in. Ok! Here’s my login info. Looks legit. I just logged you in with a cookie. dashboard. Now I’m redirecting you to the dashboard page with ?token=xxx in the querystring. This JWT in the querystring is valid. I’m now creating a cookie for you. Welcome to the dashboard page. *I also generated a JWT that lasts for 10 seconds.

42. Score 0 5 JWTs Session Cookies

43. JWTs are More Efficient JWT({ sessionId: 'aKF271L99Q47Zy9Ds9lCefuizH9wuTjVewxH4yaL' }) signed(aKF271L99Q47Zy9Ds9lCefuizH9wuTjVewxH4yaL) //

    179 bytes // 64 bytes ~3x larger BUT... ~10x -> 100x!

44. Score 0 6 JWTs Session Cookies

45. JWTs Are Easy to Revoke website My name is Randall,

    I’m an admin, I have a 1 hour token. Log me in! time H4x3d!!! J00r t0k3ns r m1n3! website Someone’s account was hacked! Let’s change the signing key!

46. Randall, you are a n00b! If I want to invalidate

    an individual JWT I can just use a revocation list!!

47. website Show me the page! db Has this token been

    revoked? Yep! Go die. OK, OK

48. Score 0 7 JWTs Session Cookies

49. JWTs are Easier to “Scale” Good - Can be validated

    locally without any necessary external DB access Bad - This only applies to stateless JWTs, not stateful JWTs - Requires more bandwidth on every request Good - Can use different types of session caches to speed up access server-side (including local memory) - Requires less bandwidth for users Bad - Always requires some sort of DB / cache to retrieve data Session Cookies JWTs

50. website Show me the page! db Do we know this

    person? Yep! Here’s the page you requested. Session Scaling (basic)

51. website Show me the page! db Who is this guy?

    This is xxx. Here’s the page you requested. Session Scaling (advanced) db db

52. website db Who is this guy? This is xxx. Session

    Scaling (super advanced) db db db db db db db db us-east us-west eu

53. Score 0 8 JWTs Session Cookies

54. JWTs Are Secure By Design website My name is Randall,

    I’m an admin, I have a 1 hour token. Log me in! time website Randall is a jerk. Revoke his admin access! website Let me delete everything! Sure thing, boss!

55. Score 0 9 JWTs Session Cookies

56. So how should I use JWTs then, you jerk?

57. Rules for Using Tokens 1. They should have a short

    lifespan (few seconds) 2. They should only be used a single time PROTIP: Don't use JWTs though. There are better, safer, more modern standards for tokens now (e.g., PASETO).

58. JWT Use Cases website file server I paid for this

    file! Let me download it! Ok, here’s your download token. It expires in 1 minute. Give me the file!! Your JWT looks legit. OK. Here’s the file.

59. JWT Use Cases (cont) website Reset my password. Ok! I’ve

    emailed you a link that has a JWT in the URL which will expire in 30 minutes. Ok! I clicked the link. This JWT looks legit. I suppose I’ll let you reset your password. Ok, your PW has been reset.

60. So why are JWTs so popular then?

61. None

62. What else even is there?!

63. PASETO! https://paseto.io • Lots of different options (algorithms, use cases,

    etc.) • Confusing / complex spec • Hard to implement correctly • Two options only (local or public?) • Simple, not confusing • Nearly impossible to implement incorrectly PASETO JWTs
64. None

65. @rdegges Thank you! @oktadev

66. teespring.com/dontusejwts