Huilan,
In the context of the OAuth protocol, can you describe how an innocent
user can cause the right context and state to be established, and why a
DDoS attacker can't accomplish the same, without making assumption on
additional security measures that are not mandated or recommended by the
Hi Huilan,
The vulnerability being mentioned here is not that an attacker
impersonates Rob. Please refer to the original discussion below:
"The issue is that according to the current draft, someone who owns a
botnet can locate the redirect URIs of clients that listen on HTTP, and
access them w
Hi Huilan,
If you are referring to the 'state' parameter (or some other way such as
a session cookie that the client uses to track the state of the
request), there are a few limitations:
a) it is an optional feature as far as the spec is concerned,
b) it is not sufficient to prevent a DDoS att
Hi Torsten,
Thanks for getting back to me and raising this interesting point.
Are you hinting that while a web application allows anonymous access, it
shouldn't participate in OAuth? If so, this assumption has not been
spelled out in the core specification. From what I read, the current
speci
Thanks, Oleg, for the note.
I agree that key distribution has been a difficult problem. Since the
OAuth draft 10 section 2.1 provides a mechanism for the client to
authenticate to the Authz Server using some shared symmetric secret, I
think the MAC scheme can be built on the presumably available s
Hi,
We are a group of university researchers and have been applying a formal
approach to analyze web security protocols. Devdatta gave a talk at IIW at
Mountain View last week about our work, and a summary of our earlier
results can be found at
http://theory.stanford.edu/~jcm/papers/browsermodel-c
