Is there any information as to what percentage of browsers have a vulnerable configuration? That's not clear to me and seems relevant. My impression was that wpad wasn't that widely enabled in browsers nowadays, but that may well be wrong.
S. On 27/07/16 01:15, Dick Hardt wrote: > http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/ > > Access tokens included as a URL query parameter when accessing a resource > are susceptible to this attack. > > Authorization codes are also visible. From what I know, we have not > depended on the confidentiality of the authorization code. > > What are the best current practices that we can point people towards to > ensure they are not susceptible to this attack? > > -- Dick > Subscribe to the HARDTWARE <http://hardtware.com/> mail list to learn about > projects I am working on! > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth