On Fri, Mar 19, 2010 at 2:16 PM, Ethan Jewett <esjew...@gmail.com> wrote:
> On Fri, Mar 19, 2010 at 2:44 PM, Brian Eaton <bea...@google.com> wrote:
>> Plaintext doesn't work in this context, because it sends long-lived
>> secrets in clear-text to servers that are under the control of the
>> application author, or, in the case of gadgets, everyone viewing the
>> gadget.
>
> That's not what I read. In the OpenSocial case the gadget does not
> hold the secret as that would be insecure in the manner you describe.
> The container holds the secret. The gadget only tells the container
> what signing method to use, not what secret to use. How the container
> manages to get the secret or keep track of which secret works with
> which provider is a mystery to me.
>
> There is not need to send the secret in the clear. OAuth 1.0a says
> that the PLAINTEXT method should be used only over a secure channel.

The gadget tells the container *where* to send the request.  So if
OpenSocial gadgets supported PLAINTEXT, a malicious gadget author, or
a malicious user of a gadget (they are pure javascript) could tell the
container "please send a request to
https://www.example.com/log_my_secret";.

And the container would then leak the secret to www.example.com.

Note that the encrypted channel doesn't help with this. =)

Also note that the OAuth signing is intended to authenticate the
opensocial_* and oauth_* parameters as having originated with the
container, not the gadget.  If you allow PLAINTEXT, that doesn't work
any longer either.

Cheers,
Brian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to