On Thu, Apr 23, 2009 at 11:52 AM, Brian Eaton <[email protected]> wrote:
> > On Thu, Apr 23, 2009 at 11:46 AM, Mike Malone <[email protected]> wrote: > > The other difference is that it seems you're not issuing a callback token > > for the manual case, where there's no callback URL. I think you need a > > callback token either way. There's still a timing attack for the manual > case > > because the attacker could sit on the callback page for the consumer and > > repeatedly submit the request token key, possibly beating the victim > there > > after the token has been authorized. The solution is to have the user > enter > > two numbers in the manual case. The request token key, and the callback > > nonce (which could be a short PIN, as Eran suggested). > > This is a terrible user experience. Some service providers and > consumers will accept it, but we need good security for installed > applications even when we can't ask the user to type a PIN manually. In the manual case the user is already typing the request token key manually. Asking them to type one more (perhaps 4 digit number) doesn't seem like such a burden. Mike --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
