On 09/06/2011 08:52 PM, Manger, James H wrote:
A strange aspects of this thread is that the current draft already talks about
exactly this issue:
draft-ietf-oauth-v2-21 section 9 "Native Applications"
"...Native applications can invoke an external user-agent or
embed a user-agent within the application
...
Embedded user-agents pose a security challenge because resource
owners are authenticating in an unidentified window without access
to the visual protections found in most external user-agents.
Embedded user-agents educate end-user to trust unidentified
requests for authentication (making phishing attacks easier to
execute)."
The webView that Michael Thomas talks about is an "embedded user-agent".
First, thank you for finding this -- this is far more useful than
the snarls I've received.
Second, I'd say that this is a good first step, but the text there
should be explicit and not pussy-foot around the fact that it
means embedded UA's in phone apps and other examples. It
should also make clear that the "challenge" (ack, ptui) involves
untrusted apps stealing the user's credentials by simply snooping
on the UA itself. If there is reasonable mitigation, then by all means
add text about it. This is important because I do not think that
many people grok the seriousness of the issue, and most especially
people who would deploy oauth authentication services.
Third, I think that the introduction needs to have an applicability
statement of *when/where/what* oauth can be used. That is,
do not beat around the bush about the need for the UA to be
trustable because that is a basic the assumption that oauth makes.
As inconvenient as that may be, it would be far worse for people
in the industry to not fully understand the threat.
Fourth, it would be *really* nice to hear from folks at Facebook
and Twitter who have deployed oauth and oauth-like flows with
their experience here, and most especially if they understood the
threat ahead of their deployment, and what they do to mitigate
it if anything.
Mike
--
James Manger
----------
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
Michael Thomas
...
At this point, it would be just nice for the industry to know that the issue
even *exists*.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
