more engineering effort to try and create a sufficiently
clever static code analysis tool to do this than it would for a
proficient security auditor to review the code by hand.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com
the protocol was BROKEN in design in the first place.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on. (p
the protocol was BROKEN [by] design in
the first place [and should be fixed].
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change is to laugh at your own
folly -- then you can let go
.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on. (p. 70
On 5/1/09 4:25 AM, Blaine Cook wrote:
3. 1.1
+1.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move
Version trap: NEVER use a .0
release or always wait for Service Pack 1. So, 1.1 is a good thing
- maybe folks will take it seriously, hoping the kinks have been worked out.
There we go: OAuth Service Pack 1.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic
On 4/30/09 3:25 AM, Eran Hammer-Lahav wrote:
2. Since this change is small, I would like to give it a short review
period before another draft. Please submit all your comments by May
8th.
Looks fine! Nicely done.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org
On 4/30/09 3:50 AM, Solberg Andreas Åkre wrote:
FYI
https://rnd.feide.no/content/vulnerable-token-creation-php-oauth-library
Ouch! Nice find. w/ rainbow table of MD5, recovering the secret from
the token is a matter of seconds, d'oh! :-)
--
Dossy Shiobara | do
On 4/30/09 4:21 AM, Solberg Andreas Åkre wrote:
On 30. april2009, at 10:10, Dossy Shiobara wrote:
https://rnd.feide.no/content/vulnerable-token-creation-php-oauth-library
Ouch! Nice find. w/ rainbow table of MD5, recovering the secret from
the token is a matter of seconds, d'oh
.
Really, why not bump the version to 1.1? Is there real magic behind the
version number? What's the point of versioning the protocol if revving
it is painful?
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized
this is to change the spec. to require the user
authenticate with the SP to generate an identity nonce which the
consumer uses to begin the OAuth flow to authorize itself with SP on
behalf of the user.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network
time - i.e., a nonce.
Nit: nonce is probably not the right term here, because it means
something that is used only once. Counters are perfectly acceptable
as nonces. In this case we need something unpredictable.
Thanks for the correction and clarification. I agree.
--
Dossy Shiobara
will be protected from tampering.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on. (p. 70
implementation for
anyone developing their own OAuth consumer.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly
in the scenario.
And yes, making request tokens one-time only is a MUST, IMHO.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change is to laugh at your own
folly -- then you can let go
principle of OAuth, then perhaps I'm wasting my
time. Perhaps I should instead formulate a specification for an open
authorization protocol that doesn't have this assumption.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He
that needs to
be passed out-of-band. I'm not sure that moving the authentication
before request token necessarilly guarantees that.
It doens't need to be passed out of band. You only need to defend
against it being intercepted by an attacker.
--
Dossy Shiobara | do
a SP should be prohibited from expiring a token after
one unsuccessful exchange attempt. IMHO, the number should be chosen
based on the SP's desired security level.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He
for signatures because at that
point the token secret has not been supplied ?
The token secret is an empty string. Proceed as normal.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change
to
use a value that an attacker can already know.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on. (p. 70
saying. Please, help me help
others understand this, too.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move
with the request token, and no longer allowing it on
the authorize URL? This would allow for dynamic callback URLs but
eliminate an attacker's ability to manipulate the callback URL as long
as they aren't privy to the consumer secret and request secret.
--
Dossy Shiobara | do
the Consumer. In this case, the
User is simply bounced back and forth between Consumer and Provider
twice, but requires no actual interaction. IMHO, this is the ultimate
good UX possible.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http
where the shared secrets are
potentially revealed to an attacker.
Instead of a callback nonce, we need to start the whole process with an
identity nonce (the authentication token I keep referring to) that the
Consumer must use in order to initiate the entire authorization flow.
--
Dossy Shiobara
up to luck and is a pretty
inefficient scam.
* without a malicious callback
Let us observe that email spam is proof-positive that inefficient
won't prevent attacks - as long as payout is non-zero and cost
approaches zero, someone will do it if they are seeking the outcome.
--
Dossy Shiobara
, etc.
I think you're missing the fact that the attacker is the one using the
consumer. The victim is just sent to SP to authorize the attacker's
token with _the victim's_ identity, which then makes the attacker's
session at the consumer access the victim's resources at the SP.
--
Dossy
.
(At this point, the request token is no longer valid or usable.)
7) Gmail proceeds to use Flickr's API using Bob's authorized access token.
Any questions?
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He
On 4/24/09 5:42 PM, Leah Culver wrote:
OAuth Meetup
Tuesday, Apr 28th at 5pm
Six Apart
548 4th Street
Darn, I'd love to participate but at 8pm US/Eastern time, I'll be at a
Grateful Dead concert. Argh!
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic
the authorized request token and secret and upgrades it
to an access token.
4) Alice now holds an authorized access token and secret that has access
to Bob's account.
This is a very real threat vector. Lets fix it.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer
the security of this suggestion
before I comment.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on. (p. 70
, if it is not sufficient to remove the risk, is worthless.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on. (p. 70
31 matches
Mail list logo