Or a connection to evil will happen. On Wed, Oct 13, 2010 at 6:33 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > I don't think so. If you are not running a server on port 80, the connection > will never happen and nothing bad will be send on the wire. > > EHL > >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of William Mills >> Sent: Wednesday, October 13, 2010 5:05 PM >> To: Breno; Jeff Lindsay >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] Request sent to http: instead of https:` >> >> This rather implies that we're specifying running a full server on port 80 >> as a >> "stupid detector". We should tread carefully here. >> >> > +1 for language in the spec describing how to handle this case >> > >> > On Wed, Oct 13, 2010 at 4:12 PM, Jeff Lindsay <progr...@twilio.com> >> > wrote: >> > >> Hopefully you also invalidate the token (if bearer) since it was >> > send over >> > >> an insecure channel. >> > > >> > > Excuse my naivety, but perhaps that's worth putting in the spec? >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
-- Breno de Medeiros _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
