Solving the A-B part is going to be tough. The internet protocols
just aren't set up to protect against this sort of thing.
You could add the IP address of the requesting user into the
signature, but IP's can always be spoofed.
The consumer app could include an invisible gif that sets a unique
cookie from the provider, but an attacker could simple grab that image
and then redirect victims through a page that includes that image.
It seems to me that this part of the vulnerability is best addressed
through education to users and clear communication on the providers
authentication page.
On Apr 23, 11:28 pm, Luca Mearelli <luca.meare...@gmail.com> wrote:
> On Fri, Apr 24, 2009 at 7:15 AM, pkeane <pjke...@gmail.com> wrote:
> > The weakness is in the A-B connection.
> ...
> > Whatever happens, I think the consumer is
> > going to need to signal to the user that it is about to make contact
> > with the SP, and either ask for or present a PIN, or a pattern or
> > picture to remember, etc., that the user has to verify, either to
> > themselves ("yea that's the same picture I saw") or by typing a short
> > code/PIN to "authenticate."
>
> ...
>
> If I understand what you say, this would not work, since it's the
> attacker that initiates the flow, anything that the consumer shows in
> step A would be known to him so could be possibly used in the social
> part of the attack, making the user to impersonate the attacker in
> step B (e.g. convincing him to input the PIN)
>
> Luca
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
