On Sep 6, 2011, at 3:49 PM, Michael Thomas wrote: > > Except in the desktop web world, I choose from a *tiny* set of browsers: > chrome, firefox, opera, and, uh, ie. To a lesser or greater extent, I don't > expect that the browsers themselves are malicious. Which is a pretty ok > assumption.
It is? I would certainly question it. The WebKit WebView is embeddable in the C/C++ programming languages and APIs are available for that on most platforms - all are open to the same attacks you mention. How about the plugins you get for your browser from various places - they could have key loggers too. It's also possible for an app delivered from a server to present a login form that looks like it is from Twitter, but is actually from an attacker site. Such attacks are very common indeed, and don't require a key logger. They do require the user to "trust" the app though, just as the user would need to trust the key logger he installed. > > With embedded web views, that assumption goes out the window. There are > 100's of thousands of apps, all of which can use webviews. I have no way > to know if a given app is evil or not, and *lots* of apps provide facebook > and twitter integration. Not because they're evil, but because that's what's > expected by users. So the use model of oauth in this case is *very* different > than the desktop use case. I disagree. If anything, because desktop machines tend to be less 'locked-down' than mobile platforms (app stores for desktops followed app stores for mobile platforms), they are more widely open to abuse. > > But I'm being told that use cases aren't the problem of oauth. I'd say that > there has all along been a hidden assumption that the browser was > a trusted entity. The point is simply that if you can subvert the actual platform, then OAuth problems are the least of your worries (as a user). - John > Since it isn't always, it should be very explicit in the > protocol, threats, and security considerations of what could happen if it's > not. > > Mike, frankly this is why apps do suck but i'm not king of the world > >> -- Justin >> On Tue, 2011-09-06 at 15:28 -0400, Michael Thomas wrote: >>> Melinda Shore wrote: >>>> On 09/06/2011 11:11 AM, Jill Burrows wrote: >>>>> I repeat, it is not an OAuth problem. >>>> If I'm reading Mike correctly (and if I'm not it won't be the >>>> first time I've misunderstood him), he's not really asking for >>>> OAUTH to solve this particular problem but to clarify the >>>> documents and beef up discussions of what is and is not in >>>> scope. He read the document and couldn't figure out whether >>>> or not this particular problem is the business of the working >>>> group. >>> I'm fairly certain that if somebody were deploying oauth for their servers >>> that unless the document told me that oauth doesn't provide protection >>> against third party snooping if it's embedded in any app, most people >>> wouldn't >>> have a clue that that was a dangerous assumption. >>> >>> What this says is that oauth only works in one use case, and that only the >>> user can tell the difference. Given the proliferation of phone apps and >>> embedded webviews, it seems that the original assumptions of oauth are >>> no longer up to date. >>> >>> Mike >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth