Again, as I acknowledged in response to Richard's point, I was wrong in assuming that HMAC offers any more protection then PLAINTEXT for the sort of attacks I had in mind. You are quite right, it does not. My apologies. Hopefully by broader point did not get lost.
Also, I wonder if in the security consideration in the PLAINTEXT part of the spec, where it says "User", one means "Consumer". "When used with PLAINTEXT signatures, the OAuth protocol makes no attempts to protect User credentials from eavesdroppers or man-in-the- middle attacks. The PLAINTEXT signature algorithm is only intended to be used in conjunction with a transport-layer security mechanism such as TLS or SSL which does provide such protection. If transport-layer protection is unavailable, the PLAINTEXT signature method should not be used." On Oct 5, 10:36 am, Allen Tom <a...@yahoo-inc.com> wrote: > beckett wrote: > > But if you just use PLAINTEXT you as Yahoo! Contacts have absolutely > > no idea if its REALLY PLAXO at the other end. It is trivial for any > > site to get user to give up data. In which case you might as well not > > use OAUTH and just make your data publicly available period. So I > > would say that in any real situation, OAUTH-PLAINTEXT plus HTTPS > > equals ZERO security. > > Disclaimer: Yahoo Contacts does not support PLAINTEXT because the > Contacts API does not support HTTPS. If Contacts did support HTTPS, then > we would recommend that all developers calling the Contacts API use > PLAINTEXT rather than HMAC-SHA1, because IMHO PLAINTEXT is a lot easier > for everyone to implement. > > I read this thread through the end, and I still don't understand how > HTTPS (if implemented correctly) + PLAINTEXT equals "ZERO security" as > you say. > > First of all, the attacker would need to steal the Consumer Secret in > order to get a Request Token, exchange the Request Token for an Access > Token, and to use the Access Token. If the Consumer Secret has been > compromised, how would using HMAC-SHA1 be any safer than PLAINTEXT? > > Secondly, Yahoo and many other Service Providers require the Consumer to > pre-register the hostname portion of their oauth_callback URL, so an > attacker would need to compromise both the consumer secret and be able > to exploit the consumer's oauth_callback to steal the oauth_verifier > after the user has authorized the consumer. > > Allen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
