On Fri, Aug 14, 2009 at 12:44 PM, Mike Malone<[email protected]> wrote: > Seth, I actually think that enforcing nonces should make this attack > impossible for guessing OAuth signatures (assuming you enforce nonces > for malformed requests). If you can only get a good/bad response once > then you're out of luck.
Agreed. > In practice few people actually check nonces, but checking time stamps > should make this attack _extremely_ infeasible if not impossible. If > you only allowed timestamps that are <= 15 minutes old, for example, > an attacker would have to determine your signature within 15 minutes > (which means making many millions of requests in that period of time). It depends whether the server checks the signature or the timestamp first. If it checks the signature first, then the attacker can try to work out the signature for a time in the future. Cheers, Brian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
