Re: [OAUTH-WG] Security Topics | Incorporate in-browser communication security considerations | PR53

Thu, 27 Oct 2022 00:30:15 -0700 

Hi,

glad to hear that you like our work.
If you have any questions or if we can do anything to help you with this, don't hesitate to ask. 

Best regards
Christian

On 26.10.22 17:13, Donna Chong Nee wrote:

Hi, thanks so much.  Will take my time amending this with some help.

Smart E11

On Thu, 27 Oct 2022, 02:16 Daniel Fett, <fett=40danielfett...@dmarc.ietf.org>
wrote:


Hi Christian,

thanks for bringing this to our attention! I think the recommendations in
the PR are very helpful and we will consider adding the text to the
document.

-Daniel
Am 25.10.22 um 15:37 schrieb Christian Mainka:

Hi,

we would like to request the inclusion of _in-browser communication
security considerations_ in the OAuth security topics.

We found that in-browser communications like the postMessage API is widely
used by Clients and Authorization Servers as an alternative to the
standardized HTTP redirects.
If these techniques are used insecurely, OAuth token leaks and injections
are possible.

We publish our results soon at ACM CCS in November 2022.
The paper is accessible [1].

We think that the paragraph about in-browser communications should be
added to the security topics.
We created a pull request [2] to help developers in understanding the
risks and best practices of using in-browser communications in OAuth.

We are happy to discuss the idea here or directly in the pull request.

Best regards
Christian

[1]: "DISTINCT: Identity Theft using In-Browser Communications in
Dual-Window Single Sign-On, https://distinct-sso.com/paper.pdf

[2]:
https://github.com/oauthstuff/draft-ietf-oauth-security-topics/pull/53

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Dr.-Ing. Christian Mainka
Horst Görtz Institute for IT-Security
Chair for Network and Data Security
Ruhr University Bochum, Germany

Universitätsstr. 150, ID 2/463
D-44801 Bochum, Germany

Telefon: +49 (0) 234 / 32-26796
Fax: +49 (0) 234 / 32-14347
https://nds.rub.de/chair/people/cmainka/
@CheariX

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to