On Apr 24, 12:28 am, Luca Mearelli <[email protected]> wrote:
> On Fri, Apr 24, 2009 at 7:15 AM, pkeane <[email protected]> wrote:
> > The weakness is in the A-B connection.
> ...
> > Whatever happens, I think the consumer is
> > going to need to signal to the user that it is about to make contact
> > with the SP, and either ask for or present a PIN, or a pattern or
> > picture to remember, etc., that the user has to verify, either to
> > themselves ("yea that's the same picture I saw") or by typing a short
> > code/PIN to "authenticate."
>
> ...
>
> If I understand what you say, this would not work, since it's the
> attacker that initiates the flow, anything that the consumer shows in
> step A would be known to him so could be possibly used in the social
> part of the attack, making the user to impersonate the attacker in
> step B (e.g. convincing him to input the PIN)
Yes, that's definitely true, but that connection needs to be made
nonetheless, a PIN being a v. weak form of authentication. But
something like "click this link and then when they ask you your
favorite color, say 'red'" (or somesuch) might be harder to convince
the victim to go for. I'm probably not the person to suggest the best
mechanism, but I do think a solution should try to tie u...@a to
u...@b even if there is a "social" element to it (even a banner that
says "you really did come from xyz.com, right?"). It's not any more
intractable than phishing attacks, I believe. If it *is* an attack,
the victim should be made acutely aware of that when they try to
authorize the token. I am thinking that at this stage, the spec
should maybe provide a range of suggested solutions for this piece,
then maybe someone could propose an extension that address more
airtight A-B authentication.
--peter
>
> Luca
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
