On 09/06/2011 01:59 PM, John Kemp wrote:
On Sep 6, 2011, at 4:36 PM, Michael Thomas wrote:
[…]
But even if you did it once, how did you know that you didn't reveal your
credentials
to a bad guy?
And I'm being told that this isn't even worthy of any mention anywhere? I came
here hoping to hear that the attack wasn't possible, or could be mitigated.
The attack can be mitigated, but it cannot be prevented through protocols like
OAuth (or any other protocol that I know of) alone.
Even mitigation would be a big improvement, especially mitigation
on the server side which has access to better resources to find and
toss out bad guys. If you know of some, I for one would be interested
in hearing about it.
Mike
The point is that you have a point.
But OAuth alone cannot address your point - it provides a different -- and
still useful, mitigation for attacks on user credentials sent over a network.
It's not a superhero though.
- John
Zoicks.
Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth