On 01/05/2012 07:54 AM, Justin Richer wrote:
However, the contention about native apps that Mike brings up is misleading for one key reason: if the user's browser is compromised (which is the attack vector in question), then all OAuth-backed webapps will *also* be compromised, since the bad party can just grab the data on its way to the screen. And if the user downloads malware masquerading as a good app (which OAuth *can* protect against by using client secrets in some circumstances and trusted callback urls in others), and they approve the bad app, then they're hosed too.
There's a big difference between a compromised browser and a native app with an embedded browser. The first is considered harmful and browsers already take steps to insure they do not remain infected through updates, etc. The second is working as intended. | Even so, I do think it's clear from what text we already have. Remember: the reason that I am here at all is precisely because it was *not* clear. It's why I find the belligerence I've been afforded from the beginning so mystifying. Mike _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
