Steingarten; oauth@ietf.org
Subject: RE: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
Hi Eran,
As far as I understood, in a textbook CSRF attack the attacker would
create his own requests in order to abuse a user's session. This can
be prevented by utilizing
Hi Eran,
As far as I understood, in a textbook CSRF attack the attacker would
create
his own requests in order to abuse a user's session. This can be
prevented by
utilizing standard CSRF coutermeasures (page token, nounce,
signature as
parameter on every request URL), which bind URLs to a
-
From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Wednesday, September 14, 2011 6:51 AM
To: Eran Hammer-Lahav
Cc: Niv Steingarten; oauth@ietf.org
Subject: RE: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
Hi Eran,
As far as I understood, in a textbook CSRF
] Draft 20 last call comment (Resource Owner
Impersonation)
It is a native app and it is external wrt the browser.
regards,
Torsten.
On Wed, 14 Sep 2011 06:59:47 -0700, Eran Hammer-Lahav wrote:
Is this malicious piece of software external a native application
either past of a native
Sorry for the late response.
-Original Message-
From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Sunday, August 21, 2011 10:59 AM
To: Eran Hammer-Lahav
Cc: Niv Steingarten; oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Hi Eran,
This is still just a CSRF attack.
I think you may be right. I still believe this particular style of attack on the
authorization server is worth mentioning, be it in its own separate section or
under the existing CSRF section (as you suggested).
This is not a style of attack but
do you hold it back?
regards,
Torsten.
EHL
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Torsten Lodderstedt
Sent: Friday, August 12, 2011 7:56 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Draft 20 last call comment (Resource Owner
[mailto:oauth-boun...@ietf.org] On Behalf
Of Torsten Lodderstedt
Sent: Friday, August 12, 2011 7:56 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
Hi all,
I think the impersonation issue as raised by Niv on the list should be
covered
Lodderstedt
Sent: Friday, August 12, 2011 7:56 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
Hi all,
I think the impersonation issue as raised by Niv on the list should be covered
by the core spec. It directly aims at the trustworthiness of the user
, August 18, 2011 5:49 AM
To: Eran Hammer-Lahav
Cc: Torsten Lodderstedt; oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
Here are two very simple examples. They are very naive ones, but get the
point across and I would not be suprised
Hey Torsten,
-Original Message-
From: Lodderstedt, Torsten [mailto:t.lodderst...@telekom.de]
Sent: Thursday, August 18, 2011 12:52 AM
To: Eran Hammer-Lahav; Torsten Lodderstedt; oauth@ietf.org
Subject: AW: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
I've
-Original Message-
From: Niv Steingarten [mailto:nivst...@gmail.com]
Sent: Thursday, August 18, 2011 10:16 AM
To: Eran Hammer-Lahav
Cc: Torsten Lodderstedt; oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
(thanks for the typo
I'd like to ask the chairs to open an issue for this.
http://trac.tools.ietf.org/wg/oauth/trac/ticket/24
I didn't realize how hyper sensitive this working group has become that every
proposal being questioned needs a ticket to prove to people that they are not
being dismissed.
It's OK:
Yes, the example I provided is a very lightweight one which does take the
form of CSRF, but it is only the simplest example of a family of automated
authorization flow attacks. Indeed, a nonce (or hidden token, both serve the
same purpose in this case) would be enough here.
Great. So we need
last call comment (Resource Owner
Impersonation)
Can you provide another example with the same level of detail as you provided
below?
The malicious client sends a request to the authorization endpoint
with the appropriate parameters, and in return receives the markup of
the web-page which
-Original Message-
From: Niv Steingarten [mailto:nivst...@gmail.com]
Sent: Thursday, August 18, 2011 11:08 AM
To: Eran Hammer-Lahav
Cc: Torsten Lodderstedt; oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
On Thu, Aug 18, 2011
-Original Message-
From: Niv Steingarten [mailto:nivst...@gmail.com]
Sent: Thursday, August 18, 2011 12:12 PM
To: Eran Hammer-Lahav
Cc: Torsten Lodderstedt; oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
On Thu, Aug 18, 2011
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
On Thu, Aug 18, 2011 at 20:31, Eran Hammer-Lahav e...@hueniverse.com
wrote:
-Original Message-
From: Niv Steingarten [mailto:nivst...@gmail.com]
Sent: Thursday, August 18, 2011 10:16 AM
To: Eran
Hammer-Lahav
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
This is, in my opinion, another style of CSRF. I the attacker present your
browser (user agent) with a link, and your browser presents a credential
automatically to the token endpoint
Lodderstedt; oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
On Thu, Aug 18, 2011 at 20:31, Eran Hammer-Lahav
e...@hueniverse.com
wrote:
-Original Message-
From: Niv Steingarten [mailto:nivst...@gmail.com]
Sent: Thursday
-Original Message-
From: Niv Steingarten [mailto:nivst...@gmail.com]
Sent: Thursday, August 18, 2011 1:04 PM
To: Eran Hammer-Lahav
Cc: Torsten Lodderstedt; oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
On Thu, Aug 18, 2011
: Torsten Lodderstedt; oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
On Thu, Aug 18, 2011 at 22:19, Eran Hammer-Lahav e...@hueniverse.com
wrote:
-Original Message-
From: Niv Steingarten [mailto:nivst...@gmail.com]
Sent: Thursday
, 2011 1:04 PM
To: Eran Hammer-Lahav
Cc: Torsten Lodderstedt; oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
On Thu, Aug 18, 2011 at 22:19, Eran Hammer-Lahav e...@hueniverse.com
wrote:
-Original Message-
From: Niv Steingarten
...@gmail.com
To: Eran Hammer-Lahav e...@hueniverse.com
Cc: oauth@ietf.org oauth@ietf.org
Sent: Thursday, August 18, 2011 4:33 PM
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
How about add something like this as the second paragraph in 10.12
...
From: Niv Steingarten nivst...@gmail.com
To: Eran Hammer-Lahav e...@hueniverse.com
Cc: oauth@ietf.org oauth@ietf.org
Sent: Thursday, August 18, 2011 4:33 PM
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
How about add something like
that up to the
editors of that document.
EHL
From: William J. Mills [mailto:wmi...@yahoo-inc.com]
Sent: Thursday, August 18, 2011 9:21 PM
To: Niv Steingarten
Cc: Eran Hammer-Lahav; oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
While I agree
...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Torsten Lodderstedt
Sent: Friday, August 12, 2011 7:56 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
Hi all,
I think the impersonation issue as raised by Niv on the list should
Hi all,
I think the impersonation issue as raised by Niv on the list should be
covered by the core spec. It directly aims at the trustworthiness of the
user consent, which in my opinion is one of the core principles of
OAuth. I therefore suggest to add a description to section 10.
Please
28 matches
Mail list logo
