The plaintext signature method actually directly compares the secret as opposed to a real signature. The oauth_signature is basically plaintext consumer and token secrets concatenated with a &. Nonces and timestamps don't do anything to change the content of oauth_signature.
In a simplified example imagine your consumer secret is 'aaaa' You generate a Token requests looping through '0000','1000'...'ff00' to see if anyone of them have a timing difference. Once you have a couple of candidates you do the same for the next 2 hex values until you have deduced the secret. In this example I'm assuming you have guessed the secret size based on some knowledge of the implementation. Eg. the ruby implementation creates 40 char base64 codes by default. You could always register a dummy consumer to figure this out. But you could also easily do timing attacks to figure out the key size. Most low level implementations including ruby, python and java do a length check before they do an actual byte wise compare. So you should see a notable time difference by testing the key set to arbitrary string 'x' adding a character on every attempt. P On Fri, Aug 14, 2009 at 5:04 PM, Mike Malone<[email protected]> wrote: > >> I think the only affected implementation is the plain text signature, >> which I really never thought should have been part of the standard in >> the first place. Does anyone actually use that? > > Please explain. How does this effect plaintext any differently than > the other signature methods? > > Mike > > > > -- http://agree2.com - Reach Agreement! http://extraeagle.com - Solutions for the electronic Extra Legal world http://stakeventures.com - Bootstrapping blog --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
