+1
I also think PKCE is currently the simplest way to protect OAuth clients from
injection.
Sent by MailWise – See your emails as clean, short chats.
Originalnachricht
Betreff: Re: [OAUTH-WG] URGENT: WPAD attack exposes URL contents even
overHTTPS
Von: William Denniss
An:
PS Using PKCE S256 would prevent this attack on web server clients, as long
as the client uses a different PKCE vale for each request.Even if the
attacker can observe both the request and response, they would not have the
code_verifyer and if replaying the code to the client the client wil
I need to think about it a bit, however off the top of my head based on the
attack described the code flow should still be safe if the code is truly single
use. (Some implementations fudge that)
If the attacker can stop the browser from delivering the code to the client
then the client would
http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/
Access tokens included as a URL query parameter when accessing a resource
are susceptible to this attack.
Authorization codes are also visible. From what I know, we have not
depended on
Please forgive me if this comment is out of order or inappropriate in any way...
...but why is HTTP Basic even being discussed in 2016? It has horrific security
properties at multiple levels; shouldn't we at least move to HTTP Digest if not
something stronger?
Regards.
--
Jim Manico
@Manicode
The following errata report has been submitted for RFC6749,
"The OAuth 2.0 Authorization Framework".
--
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=4749
--
Type: Technical
