On 4/23/09 9:06 PM, Brian Eaton wrote: > The current version of the protocol is susceptible to a very similar > attack for web applications, which is why people are so upset and > working on a fix.
I won't go into those details until a reasonable fix is available. :-) > For desktop apps, it's hard to do better, and even once we have a fix > for web apps it's likely that people will keep using OAuth 1.0 for > some desktop apps. There are a few options. Why is it hard to do better? Perhaps it's hard to do better without affecting the user experience, but that's the cost of open interoperability and security. > 1) Keep using OAuth 1.0. > SPs can tell users that they are authorizing an application on > their desktop. There is some risk of social engineering as you > describe, but hopefully the language on service provider pages > mentioning desktop applications will help. The problem here is that attackers can leverage other vulnerabilities (in browsers, in provider implementations, etc.) to make the victim's active participation entirely unnecessary. Social engineering is clearly the easiest attack vector, but not the only one here. > 2) Callback token displayed on page. > SPs can display a callback token, which the user will manually > enter into their desktop application. This is not a good user > experience, but provides better security than option 1. Not sure about the language of "callback token" here, which to me implies something that happens during or after the process is complete. What we need is an "identity token" - something that an authenticated user requests from the Provider and feeds it into the Consumer which it can use to begin the request+authorization flow. This is why I respond to people who love to point out that "OAuth isn't an authentication scheme" with "I know and I hope we can correct that sad oversight." > 3) Callback token sent to desktop app. > There are a bunch of ways to get a callback token to a desktop app > automatically, most of them mentioned earlier in this thread. I'll have to think more deeply about the security of this suggestion before I comment. -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
