On 06/02/13 17:56, William Mills wrote:
Yes, MAC relies on SSL for transport security. But you have bigger
problems than that if SSL is broken, because your primary authentication
credential is compromised now.
+1
Do we need to address sslstrip here if it's a general attack on SSL
transport for the browser?
When MAC is passed back to the client requesting a token in exchange for
a grant, no browser is even involved, right ? Besides, one can exchange
MAC token over two-way TLS in order to authenticate and I guess it is
much much trickier to have a man in the middle attack with two-way TLS
Cheers, Sergey
------------------------------------------------------------------------
*From:* Prabath Siriwardena <prab...@wso2.com>
*To:* William Mills <wmills_92...@yahoo.com>
*Cc:* L. Preston Sego III <lpse...@gmail.com>; "oauth@ietf.org"
<oauth@ietf.org>
*Sent:* Wednesday, February 6, 2013 8:23 AM
*Subject:* Re: [OAUTH-WG] I'm concerned about how the sniffability of
oauth2 requests
On Mon, Feb 4, 2013 at 9:57 PM, William Mills <wmills_92...@yahoo.com
<mailto:wmills_92...@yahoo.com>> wrote:
There are two efforts at signed token types: MAC which is still a
possibility if we wake up and do it, and the "Holder Of Key" type
tokens.
If someone can use sslstrip then even MAC is not safe - since MAC key
needs to be transferred over SSL to the Client from the AS.
There are standard ways in HTTP to avoid or protect from sslstrip - IMHO
we need to occupy those best practices...
Thanks & regards,
-Prabath
There are a lot of folks that agree with you.
------------------------------------------------------------------------
*From:* L. Preston Sego III <lpse...@gmail.com
<mailto:lpse...@gmail.com>>
*To:* oauth@ietf.org <mailto:oauth@ietf.org>
*Sent:* Friday, February 1, 2013 7:37 AM
*Subject:* [OAUTH-WG] I'm concerned about how the sniffability of
oauth2 requests
In an oauth2 request, the access token is passed along in the
header, with nothing else.
As I understand it, oauth2 was designed to be simple for everyone to
use. And while, that's true, I don't really like how all of the
security is reliant on SSL.
what if an attack can strip away SSL using a tool such as sslstrip
(or whatever else would be more suitable for modern https)? They
would be able to see the access token and start forging whatever
request he or she wants to.
Why not do some sort of RSA-type public-private key thing like back
in Oauth1, where there is verification of the payload on each
request? Just use a better algorithm?
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
--
Thanks & Regards,
Prabath
Mobile : +94 71 809 6732
http://blog.facilelogin.com
http://RampartFAQ.com
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
