On Nov 24, 2008, at 12:34 PM, Brian Eaton wrote:
> On Mon, Nov 24, 2008 at 11:59 AM, John Kristian > <[EMAIL PROTECTED]> wrote: >> It would be nice if OAuth client libraries automatically handled >> redirects and signed each request. > > Wearing my security hat... automatically signing redirect URLs is > risky. What if the response from the service provider is compromised? > > If you're using plaintext signatures, you leak your secrets to > wherever the attacker redirects you. > > If you're using HMAC or RSA, you leak signatures for whatever URL you > are redirected to. The attacker can force you to make near-arbitrary > signed OAuth requests. This seems to me like a really serious problem. I think future versions of the spec should probably say something explicit and strongly worded about this -- "unless transport-layer security is being used, consumers MUST NOT automatically follow HTTP redirects" or something of the sort. Of course, systematically not following 300s is likely to break other things -- but that seems the lesser evil. -sq --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
