The Java implementation http://code.google.com/p/oauth/source/browse/#svn/code/java/core/commons/src/main/java/net/oauth validates timestamp and nonce before signature. I've just committed changes to defend against a timing attack. It accepts plaintext signatures by default, but one can make it reject plaintext signatures by calling OAuthSignatureMethod.unregisterMethod("PLAINTEXT").
On Aug 14, 1:38 pm, Pelle Braendgaard <pel...@gmail.com> wrote: > From what I can see you would need only one variable for it to be > feasible, that is the consumer secret on a request token request. > However since the nonce and timestamp have to be changed I don't think > it's feasible for any of the digest based attacks (nor the rsa one). > > I also just made a test request against agree2 attempting to set > PLAINTEXT and it did not accept it, so I'm glad we handled that case > back when we wrote the OAuth Ruby gem. You might want to check your > oauth implementation for this if you're not using the standard ruby > implementation. I have no idea how Python, Java, .net etc handle this. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---