On Mon, Feb 4, 2013 at 9:57 PM, William Mills <wmills_92...@yahoo.com>wrote:
> There are two efforts at signed token types: MAC which is still a > possibility if we wake up and do it, and the "Holder Of Key" type tokens. > If someone can use sslstrip then even MAC is not safe - since MAC key needs to be transferred over SSL to the Client from the AS. There are standard ways in HTTP to avoid or protect from sslstrip - IMHO we need to occupy those best practices... Thanks & regards, -Prabath > > There are a lot of folks that agree with you. > > ------------------------------ > *From:* L. Preston Sego III <lpse...@gmail.com> > *To:* oauth@ietf.org > *Sent:* Friday, February 1, 2013 7:37 AM > *Subject:* [OAUTH-WG] I'm concerned about how the sniffability of oauth2 > requests > > In an oauth2 request, the access token is passed along in the header, with > nothing else. > > As I understand it, oauth2 was designed to be simple for everyone to use. > And while, that's true, I don't really like how all of the security is > reliant on SSL. > > what if an attack can strip away SSL using a tool such as sslstrip (or > whatever else would be more suitable for modern https)? They would be able > to see the access token and start forging whatever request he or she wants > to. > > Why not do some sort of RSA-type public-private key thing like back in > Oauth1, where there is verification of the payload on each request? Just > use a better algorithm? > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
