> > My understading is that I should be able to use PLAINTEXT without > > compromising security as long as stick with HTTPS. Is my understanding > > right?
Depends on what you mean by "compromising security". Say user wants to move data from Yahoo Contacts! to Plaxo. If you do HTTPS on both links, it is true that an eavesdropper listening on user's connection to Yahoo Contacts or users connection to Plaxo will not be able to see anything. But if you just use PLAINTEXT you as Yahoo! Contacts have absolutely no idea if its REALLY PLAXO at the other end. It is trivial for any site to get user to give up data. In which case you might as well not use OAUTH and just make your data publicly available period. So I would say that in any real situation, OAUTH-PLAINTEXT plus HTTPS equals ZERO security. On Oct 2, 10:06 am, Eran Hammer-Lahav <[email protected]> wrote: > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > > Of prashant kulkarni > > Sent: Friday, October 02, 2009 9:35 AM > > To: OAuth > > Subject: [oauth] Need for timestamp and nonce over HTTPS > > > I am looking at implementing OAuth Service Provider that only supports > > communicatiion using HTTPS. The OAuth specification allows me to use > > PLAINTEXT signature method. I am thinking it should be good fit for my > > purposes. > > > I have 2 questions > > > (a) My understading is that I should be able to use PLAINTEXT without > > compromising security as long as stick with HTTPS. Is my understanding > > right? > > Yes (assuming HTTPS is done correctly). > > > (b) I do not see any use of nonce and timestamp since there is no real > > signing of request or real threat of Man in the middle or replay > > attacks. Would I be compromising security if I do not keep track of > > nonce and timestamp? > > No. They are completely useless with PLAINTEXT. > > EHL --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
