On 2011-04-02, at 11:13 AM, Francisco Corella wrote:
>
> > Another example I mentioned earlier is when the client does
> > not expose the protected resources back to the bearer of the
> > code. For example, a Twitter application sending you emails
> > when someone stops following you. Since all it does is get
> > the code and then uses it internally (no user login
> > functionality), TLS adds NOTHING.
>
> I'm not sure I understand the example. Would the attacker
> be able to get emails when someone stops following the user?
> Would that be OK?
I can do that without any authorization from the user.
> Anyway, an application that accesses Twitter on the user's
> behalf is likely to be able to send tweets on the user's
> behalf. The attacks we've been discussing would allow the
> attacker to send tweets on the user's behalf. That's
> definitely not cool.
Maybe you should stop using Twitter as anyone that can MITM your session can
tweet as you since Twitter does not enforce HTTPS on twitter.com
Am I missing something in your statement? ... or did you respond without
thinking this through?
-- Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
