Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests

Wed, 06 Feb 2013 09:56:37 -0800 

Yes, MAC relies on SSL for transport security.  But you have bigger problems 
than that if SSL is broken, because your primary authentication credential is 
compromised now.

Do we need to address sslstrip here if it's a general attack on SSL transport 
for the browser?


________________________________
 From: Prabath Siriwardena <prab...@wso2.com>
To: William Mills <wmills_92...@yahoo.com> 
Cc: L. Preston Sego III <lpse...@gmail.com>; "oauth@ietf.org" <oauth@ietf.org> 
Sent: Wednesday, February 6, 2013 8:23 AM
Subject: Re: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 
requests
 




On Mon, Feb 4, 2013 at 9:57 PM, William Mills <wmills_92...@yahoo.com> wrote:

There are two efforts at signed token types: MAC which is still a possibility 
if we wake up and do it, and the "Holder Of Key" type tokens.

If someone can use sslstrip then even MAC is not safe - since MAC key needs to 
be transferred over SSL to the Client from the AS.

There are standard ways in HTTP to avoid or protect from sslstrip - IMHO we 
need to occupy those best practices...

Thanks & regards,
-Prabath
 

>
>There are a lot of folks that agree with you.
>
>
>
>________________________________
> From: L. Preston Sego III <lpse...@gmail.com>
>To: oauth@ietf.org 
>Sent: Friday, February 1, 2013 7:37 AM
>Subject: [OAUTH-WG] I'm concerned about how the sniffability of oauth2 requests
> 
>
>
>In an oauth2 request, the access token is passed along in the header, with 
>nothing else.
>
>
>As I understand it, oauth2 was designed to be simple for everyone to use. And 
>while, that's true, I don't really like how all of the security is reliant on 
>SSL.
>
>
>what if an attack can strip away SSL using a tool such as sslstrip (or 
>whatever else would be more suitable for modern https)? They would be able to 
>see the access token and start forging whatever request he or she wants to.
>
>
>Why not do some sort of RSA-type public-private key thing like back in Oauth1, 
>where there is verification of the payload on each request? Just use a better 
>algorithm?
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Thanks & Regards,
Prabath

Mobile : +94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to