On Fri, Apr 24, 2009 at 7:15 AM, pkeane <[email protected]> wrote: > The weakness is in the A-B connection. ... > Whatever happens, I think the consumer is > going to need to signal to the user that it is about to make contact > with the SP, and either ask for or present a PIN, or a pattern or > picture to remember, etc., that the user has to verify, either to > themselves ("yea that's the same picture I saw") or by typing a short > code/PIN to "authenticate." ...
If I understand what you say, this would not work, since it's the attacker that initiates the flow, anything that the consumer shows in step A would be known to him so could be possibly used in the social part of the attack, making the user to impersonate the attacker in step B (e.g. convincing him to input the PIN) Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
