On Fri, Apr 24, 2009 at 8:03 PM, Brian Eaton <bea...@google.com> wrote: > > No, we haven't, and in fact we can't with the protocol as it stands > today. Please go read Eran's blog post explaining the attack: > > http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html#more
We haven't solved it completely (as in *made impossible*), but those minimal additions to the protocol reduce a lot the available attack window. I think that security work should at least seek improving un-feasibility of an attack vector under given constraints. I read Eran's article before sending the first email of the long thread, and I'm a bit lost in the whole discussion now, but I'd still like to know if what I said there missed the point e.g. with regards to the fact that the SP cannot safely pass information, like the "unpredictable callback parameter", back to the consumer over the redirect if the callback URL is not verified ... I hope this doesn't sound stupid or pedantic (I'm just trying to understand) Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
