Re: [OAUTH-WG] problem statement

Tue, 06 Sep 2011 13:36:57 -0700 

John Kemp wrote:

I can tell you from experience that Android absolutely doesn't check anything 
of this
sort, and it would take extremely deep voodoo for Apple to do the same: they 
never see
source.



I believe that both Apple and Google *do attempt* to prevent malware from getting into their stores. 


No, seriously, they don't. Google has no review process at all, just a kill 
switch after the fact.
Apple doesn't have source, so the amount of testing they can do is limited, and is 
about 99 & 44/100%
marketing hype in any case.


But I'm being told that use cases aren't the problem of oauth. I'd say that

there has all along been a hidden assumption that the browser was
a trusted entity.

The point is simply that if you can subvert the actual platform, then OAuth 
problems are the least of your worries (as a user).

People keep saying that to deflect criticism, but I don't buy it. Other 
protocols aren't
availing an attacker to user credentials to third party servers by simply 
snooping on the
webview key traffic in an otherwise completely normal use pattern.



HTTP Auth? Web form login? 


When an app asks for your login credentials, it looks like the app itself asking
if it's on the up and up. With OAuth, it looks like it's twitter, or facebook,
or whichever trusted service you're logging into. That's why I say that this 
situation
is worse: as a user, I have no idea which apps are good and which are sending 
your
credentials to a broker in Romania. At least I have some clue that it *might* do
that in the first case, but with OAuth I'm being told that that's why it exists
so that I don't *have* to trust that app. Except that I do as it turns out.


Have you ever signed on to facebook in an app before?


Frankly, not too often, no, since these apps usually ask for far more authority 
than I believe is necessary for the purpose of using the app.


But even if you did it once, how did you know that you didn't reveal your 
credentials
to a bad guy?

And I'm being told that this isn't even worthy of any mention anywhere? I came
here hoping to hear that the attack wasn't possible, or could be mitigated. 
Zoicks.

Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth





























					Reply via email to