On Sat, Apr 25, 2009 at 1:11 PM, J. Adam Moore <jadammo...@gmail.com> wrote: > The problem itself is REALLY > specific: Phishing. Like fish in a barrel phishing. The solution is to > take away their bullets, and is not to try and harden the barrels or > educate the fish to dodge bullets.
The problem is very similar to phishing, in that it requires some element of social engineering to exploit. However, the current protocol allows a phishing attack where everything the user sees is completely in context and true. The session fixation vulnerability allows perfect phishing. I just reread the protocol you proposed above, and I'm pretty sure it doesn't actually fix the session fixation attack. You need some kind of a callback token passed through the user's browser back to the consumer. (If you were including that, sorry, I missed it.) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
