On Wed, Feb 6, 2013 at 11:26 PM, William Mills <wmills_92...@yahoo.com>wrote:
> Yes, MAC relies on SSL for transport security. But you have bigger > problems than that if SSL is broken, because your primary authentication > credential is compromised now. > +1 > > Do we need to address sslstrip here if it's a general attack on SSL > transport for the browser? > Yes.. its a general attack against SSL and counter measures defined too.. Thanks & regards, -Prabath > ------------------------------ > *From:* Prabath Siriwardena <prab...@wso2.com> > *To:* William Mills <wmills_92...@yahoo.com> > *Cc:* L. Preston Sego III <lpse...@gmail.com>; "oauth@ietf.org" < > oauth@ietf.org> > *Sent:* Wednesday, February 6, 2013 8:23 AM > *Subject:* Re: [OAUTH-WG] I'm concerned about how the sniffability of > oauth2 requests > > > > On Mon, Feb 4, 2013 at 9:57 PM, William Mills <wmills_92...@yahoo.com>wrote: > > There are two efforts at signed token types: MAC which is still a > possibility if we wake up and do it, and the "Holder Of Key" type tokens. > > > If someone can use sslstrip then even MAC is not safe - since MAC key > needs to be transferred over SSL to the Client from the AS. > > There are standard ways in HTTP to avoid or protect from sslstrip - IMHO > we need to occupy those best practices... > > Thanks & regards, > -Prabath > > > > There are a lot of folks that agree with you. > > ------------------------------ > *From:* L. Preston Sego III <lpse...@gmail.com> > *To:* oauth@ietf.org > *Sent:* Friday, February 1, 2013 7:37 AM > *Subject:* [OAUTH-WG] I'm concerned about how the sniffability of oauth2 > requests > > In an oauth2 request, the access token is passed along in the header, with > nothing else. > > As I understand it, oauth2 was designed to be simple for everyone to use. > And while, that's true, I don't really like how all of the security is > reliant on SSL. > > what if an attack can strip away SSL using a tool such as sslstrip (or > whatever else would be more suitable for modern https)? They would be able > to see the access token and start forging whatever request he or she wants > to. > > Why not do some sort of RSA-type public-private key thing like back in > Oauth1, where there is verification of the payload on each request? Just > use a better algorithm? > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > > > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
