We discussed that redirecr helps but we wanted the Token endpoint to also be 
able to detect assuming many client devs won't implement the check. 

Phil

> On Jan 28, 2016, at 20:54, Nat Sakimura <sakim...@gmail.com> wrote:
> 
> My preferred way of dealing with mix-up has been to use separate redirection 
> URI but your using issuer instead is for the backward compatibility? 
> 
> Nat
> 
> 2016年1月29日(金) 2:53 John Bradley <ve7...@ve7jtb.com>:
>> Yes,  I note either mitigation in draft-jones-oauth-mix-up-mitigation-01 
>> will stop this attack.
>> 
>> White listing AS seems tempting, but is just sweeping the problem partially 
>> under the rug.  
>> There are probably good policy reasons to whitelist AS but we shouldn’t let 
>> this AS mixup be one of them.
>> 
>> John B.
>> 
>> 
>>> On Jan 27, 2016, at 10:42 PM, Nat Sakimura <sakim...@gmail.com> wrote:
>>> 
>> 
>>> I see. That's like double cut-n-paste. 
>>> 
>>> I tried to capture this case of used-to-be-good AS turning Compromised AS 
>>> (Log leaking AS) in a sequence diagram: http://j.mp/1QtDeKD
>>> 
>>> Given this, just relying on not using random AS is not good enough. You 
>>> would probably require AS w/ISMS with the policy of not logging un-masked 
>>> credentials and has strict access control on the log ;-) 
>>> 
>>> Nat
>>> 
>>> 2016年1月28日(木) 9:38 Hans Zandbelt <hzandb...@pingidentity.com>:
>>>> indeed, if the attacker is able to phish the user, he can put up a
>>>> script that first triggers the authorization request to the compromised
>>>> AS (i.e. the AS at which he has access to the logs and gathers the state
>>>> value from) through the Client, and subsequently trigger the redirect to
>>>> the good AS using an auto-refresh of that same phishing page (with the
>>>> stolen state value); no need to control the authorization endpoint of
>>>> the compromised AS itself
>>>> 
>>>> Hans.
>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>> 
>>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to