>From what I can see you would need only one variable for it to be feasible, that is the consumer secret on a request token request. However since the nonce and timestamp have to be changed I don't think it's feasible for any of the digest based attacks (nor the rsa one).
I also just made a test request against agree2 attempting to set PLAINTEXT and it did not accept it, so I'm glad we handled that case back when we wrote the OAuth Ruby gem. You might want to check your oauth implementation for this if you're not using the standard ruby implementation. I have no idea how Python, Java, .net etc handle this. P On Fri, Aug 14, 2009 at 4:01 PM, Seth Fitzsimmons<[email protected]> wrote: > >> Seth, I actually think that enforcing nonces should make this attack >> impossible for guessing OAuth signatures (assuming you enforce nonces >> for malformed requests). If you can only get a good/bad response once >> then you're out of luck. > > I was thinking that the attacker would be attempting to guess consumer > and token keys and secrets, not signatures. With that approach, you > can continue generating valid requests using different keys and > secrets ad infinitum. Thus, checking nonces and timestamps is > irrelevant. > > seth > > > > -- http://agree2.com - Reach Agreement! http://extraeagle.com - Solutions for the electronic Extra Legal world http://stakeventures.com - Bootstrapping blog --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
