Slide 1

Slide 1 text

JWTs Suck (for web auth and basically everything else) @rdegges @oktadev

Slide 2

Slide 2 text

Randall Degges Chief Hacker @ Okta Python / Node / Go

Slide 3

Slide 3 text

What are JWTs? - JSON data - Cryptographically signed - Not encrypted - Not special

Slide 4

Slide 4 text

What’s a Cryptographic Signature? Randall Degges Dear Sir/Madam, The great king of Los Angeles recently died and left his entire fortune to you, his distant cousin. To claim $10 million dollars he left you, I'll need your bank account information... That's a signature!

Slide 5

Slide 5 text

What Do JWTs Actually Do? Prove that some JSON data can be trusted.

Slide 6

Slide 6 text

How Do People Typically Use JWTs? As identity proof

Slide 7

Slide 7 text

How JWTs are Most Commonly Used ➔ User sends credentials to website to login ➔ Website validates credentials, generates JWT ➔ Website sends response to browser containing JWT ➔ Browser then stores JWT in localStorage ➔ Browser pulls JWT out of localStorage and sends it to website for subsequent requests

Slide 8

Slide 8 text

What happens when you Google JWTs? JWTs are amazing! JWTs are awesome! We <3 JWTs! You're a n00b if you don't use JWTs!

Slide 9

Slide 9 text

Everyone is wrong.

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

Everyone has forgotten how amazing session cookies actually are.

Slide 12

Slide 12 text

Let’s define some terms...

Slide 13

Slide 13 text

Term: Stateless JWT Definition: A JWT that is entirely self-contained, and holds all user information necessary to complete a transaction within it. EG: userName, firstName, lastName, email, etc…

Slide 14

Slide 14 text

website Let me see this page! Validates token… OK! It looks like your name is Randall Degges, and your email is [email protected] OK Randall, here’s the web page you requested.

Slide 15

Slide 15 text

Term: Stateful JWT Definition: A JWT that only contains a session ID. All user data is stored server-side and retrieved from a database.

Slide 16

Slide 16 text

website Let me see this page! Validates token… OK! Your session ID is 12345. It looks like your name is Randall Degges, and your email is [email protected] OK Randall, here’s the web page you requested. db Who is the user with session ID 12345? Session ID 12345 is Randall Degges. Here you go.

Slide 17

Slide 17 text

Term: Session Cookie Definition: A cryptographically signed session identifier stored in a cookie. All user data is stored server-side and retrieved from a database.

Slide 18

Slide 18 text

website Let me see this page! Your session ID is 12345. Your signature looks good! It looks like your name is Randall Degges, and your email is [email protected] OK Randall, here’s the web page you requested. db Who is the user with session ID 12345? Session ID 12345 is Randall Degges. Here you go.

Slide 19

Slide 19 text

BONUS: What’s the difference between a Session Cookie and a Stateful JWT? - They’re both cryptographically signed - They both contain a session identifier (12345) - One uses the JWT format (JSON) and one is just a simple string ¯\_(ツ)_/¯

Slide 20

Slide 20 text

Term: Cookies Definition: An HTTP header field that allows you to store or retrieve key/value data, set data expiration times, and apply various other data integrity rules. Caps out at ~4k.

Slide 21

Slide 21 text

body { "Set-Cookie": "session=signed(12345)" } Creating Cookies Set-Cookie: a=b; c=d; e=f website Log me in!

Slide 22

Slide 22 text

NOTE: Required Cookie Flags Set-Cookie: a=b; HttpOnly; SameSite=strict; secure; No nasty cross-origin cookie sharing! SSL only!

Slide 23

Slide 23 text

body { "Cookie": "session=signed(12345)" } Reading Cookies website Show me a page! I see your cookie header and have parsed it! I know who you are!

Slide 24

Slide 24 text

Term: Local Storage Definition: A Javascript API that allows a user to store data in a browser that is accessible only via Javascript. Also known as “session storage”. Widely considered to be an alternative to using cookies to store session data.

Slide 25

Slide 25 text

Myths about JWTs

Slide 26

Slide 26 text

JWTs are Easier to Use JWTs: ● First spec draft: Dec 27, 2012 ● Began gaining adoption / marketing: mid 2014 ● Requires additional tools, libraries, and knowledge to function (developer effort required) Session Cookies: ● Every web framework since 1990s ● Requires 0 effort to use

Slide 27

Slide 27 text

Score JWTs Session Cookies 0 1

Slide 28

Slide 28 text

JWTs are More Flexible Session Cookies { “sessionId”: “12345”, “email”: “[email protected]”, “firstName”: “Randall”, “lastName”: “Degges” } sessionId=12345; [email protected]; firstName=Randall; lastName=Degges JWTs

Slide 29

Slide 29 text

JWTs are More Flexible { “userId”: “12345”, “email”: “[email protected]”, “firstName”: “Randall”, “lastName”: “Degges”, “iat”: “123456789”, “exp”: “987654321” } userId=12345; [email protected]; firstName=Randall; lastName=Degges; Expires=xxxx; Session Cookies JWTs

Slide 30

Slide 30 text

Score 0 2 JWTs Session Cookies

Slide 31

Slide 31 text

JWTs are More Secure Good: ● Cryptographically signed ● Can be encrypted (JWE) Bad: ● Complex spec / crypto :( ● Multiple vulnerabilities found in last three years ● Vastly different support in libraries Good: ● Cryptographically signed ● Can be encrypted ● Been around since ~1994 ● Well vetted, battle tested ● 0 complexity in the spec ● No vulnerabilities in like… forever ● Identical library support everywhere Session Cookies JWTs

Slide 32

Slide 32 text

Score 0 3 JWTs Session Cookies

Slide 33

Slide 33 text

JWTs Prevent CSRF

Slide 34

Slide 34 text

DETOUR! What is CSRF? bank.com Checking my accounts.... bank.com/transfer Hey! Check out this picture of my dog! OK! Transfer received! Sending 1 million dollars to [email protected]! - amount ($$) - to (email)

Slide 35

Slide 35 text

JWTs Prevent CSRF Cookies ● You are still susceptible to CSRF Local Storage ● You are safe from CSRF, but have opened yourself up to a much greater attack vector… XSS

Slide 36

Slide 36 text

CSRF is trivial to fix. XSS… Not so much.

Slide 37

Slide 37 text

Bad News

Slide 38

Slide 38 text

But… I just won’t use third party JS on my site… So I can still be secure!

Slide 39

Slide 39 text

“… In other words, any authentication your application requires can be bypassed by a user with local privileges to the machine on which the data is stored. Therefore, it's recommended not to store any sensitive information in local storage.” - OWASP (Open Web Application Security Project)

Slide 40

Slide 40 text

Score 0 4 JWTs Session Cookies

Slide 41

Slide 41 text

JWTs Are Better for Cross Domain www. Log me in! Well, I don’t do login. Redirecting... login. Here’s the login page. Log in. Ok! Here’s my login info. Looks legit. I just logged you in with a cookie. dashboard. Now I’m redirecting you to the dashboard page with ?token=xxx in the querystring. This JWT in the querystring is valid. I’m now creating a cookie for you. Welcome to the dashboard page. *I also generated a JWT that lasts for 10 seconds.

Slide 42

Slide 42 text

Score 0 5 JWTs Session Cookies

Slide 43

Slide 43 text

JWTs are More Efficient JWT({ sessionId: 'aKF271L99Q47Zy9Ds9lCefuizH9wuTjVewxH4yaL' }) signed(aKF271L99Q47Zy9Ds9lCefuizH9wuTjVewxH4yaL) // 179 bytes // 64 bytes ~3x larger BUT... ~10x -> 100x!

Slide 44

Slide 44 text

Score 0 6 JWTs Session Cookies

Slide 45

Slide 45 text

JWTs Are Easy to Revoke website My name is Randall, I’m an admin, I have a 1 hour token. Log me in! time H4x3d!!! J00r t0k3ns r m1n3! website Someone’s account was hacked! Let’s change the signing key!

Slide 46

Slide 46 text

Randall, you are a n00b! If I want to invalidate an individual JWT I can just use a revocation list!!

Slide 47

Slide 47 text

website Show me the page! db Has this token been revoked? Yep! Go die. OK, OK

Slide 48

Slide 48 text

Score 0 7 JWTs Session Cookies

Slide 49

Slide 49 text

JWTs are Easier to “Scale” Good - Can be validated locally without any necessary external DB access Bad - This only applies to stateless JWTs, not stateful JWTs - Requires more bandwidth on every request Good - Can use different types of session caches to speed up access server-side (including local memory) - Requires less bandwidth for users Bad - Always requires some sort of DB / cache to retrieve data Session Cookies JWTs

Slide 50

Slide 50 text

website Show me the page! db Do we know this person? Yep! Here’s the page you requested. Session Scaling (basic)

Slide 51

Slide 51 text

website Show me the page! db Who is this guy? This is xxx. Here’s the page you requested. Session Scaling (advanced) db db

Slide 52

Slide 52 text

website db Who is this guy? This is xxx. Session Scaling (super advanced) db db db db db db db db us-east us-west eu

Slide 53

Slide 53 text

Score 0 8 JWTs Session Cookies

Slide 54

Slide 54 text

JWTs Are Secure By Design website My name is Randall, I’m an admin, I have a 1 hour token. Log me in! time website Randall is a jerk. Revoke his admin access! website Let me delete everything! Sure thing, boss!

Slide 55

Slide 55 text

Score 0 9 JWTs Session Cookies

Slide 56

Slide 56 text

So how should I use JWTs then, you jerk?

Slide 57

Slide 57 text

Rules for Using Tokens 1. They should have a short lifespan (few seconds) 2. They should only be used a single time PROTIP: Don't use JWTs though. There are better, safer, more modern standards for tokens now (e.g., PASETO).

Slide 58

Slide 58 text

JWT Use Cases website file server I paid for this file! Let me download it! Ok, here’s your download token. It expires in 1 minute. Give me the file!! Your JWT looks legit. OK. Here’s the file.

Slide 59

Slide 59 text

JWT Use Cases (cont) website Reset my password. Ok! I’ve emailed you a link that has a JWT in the URL which will expire in 30 minutes. Ok! I clicked the link. This JWT looks legit. I suppose I’ll let you reset your password. Ok, your PW has been reset.

Slide 60

Slide 60 text

So why are JWTs so popular then?

Slide 61

Slide 61 text

No content

Slide 62

Slide 62 text

What else even is there?!

Slide 63

Slide 63 text

PASETO! https://paseto.io ● Lots of different options (algorithms, use cases, etc.) ● Confusing / complex spec ● Hard to implement correctly ● Two options only (local or public?) ● Simple, not confusing ● Nearly impossible to implement incorrectly PASETO JWTs

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

@rdegges Thank you! @oktadev

Slide 66

Slide 66 text

teespring.com/dontusejwts