I like it, but I think using "phishing attacks" is too limited. I suggest
changing "phishing attacks" to "by an attacker"
________________________________
From: Eran Hammer-Lahav <e...@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Sent: Tuesday, August 16, 2011 2:44 PM
Subject: [OAUTH-WG] Open redirector feedback (Yaron Goland)
Moved here to help discuss.
> 3.1.2.4. Invalid Endpoint: Comment on “open redirector”: “How many people
> even know what the heck an open redirector is? I think we need a section in
> the security considerations section that defines what an open redirector is
> and why it’s bad. Alternatively a normative reference to a complete
> definition somewhere else is also fine.”
Added new section and reference to it:
10.15. Open Redirectors
The authorization server authorization endpoint and the client
redirection endpoint can be improperly configured and operate as open
redirectors. An open redirector is an endpoint using a parameter to
automatically redirect a user-agent to the location specified by the
parameter value without any validation.
Open redirectors can be used in phishing attacks to get end-users to
visit malicious sites by making the URI's authority look like a
familiar and trusted destination. In addition, if the authorization
server allows the client to register only part of the redirection
URI, an attacker can use an open redirector operated by the client to
construct a redirection URI that will pass the authorization server
validation but will send the authorization code or access token to an
endpoint under the control of the attacker.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
