On Tue, Dec 2, 2008 at 2:12 AM, Ben Laurie <[EMAIL PROTECTED]> wrote: > I'm also wondering what kind of compromise would allow an attacker to send a > redirect with seeing the original request?
Eh? Who said they didn't see the original request? For plaintext over http, the attack is uninteresting. For anything over https, the attack is very difficult due to the need to spoof the SSL cert. For HMAC and RSA over http, though, a MITM gains some advantage if the OAuth client follows redirects. They can cause the client to send near-arbitrary requests with valid OAuth signatures. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
