beckett wrote: > But if you just use PLAINTEXT you as Yahoo! Contacts have absolutely > no idea if its REALLY PLAXO at the other end. It is trivial for any > site to get user to give up data. In which case you might as well not > use OAUTH and just make your data publicly available period. So I > would say that in any real situation, OAUTH-PLAINTEXT plus HTTPS > equals ZERO security. > Disclaimer: Yahoo Contacts does not support PLAINTEXT because the Contacts API does not support HTTPS. If Contacts did support HTTPS, then we would recommend that all developers calling the Contacts API use PLAINTEXT rather than HMAC-SHA1, because IMHO PLAINTEXT is a lot easier for everyone to implement.
I read this thread through the end, and I still don't understand how HTTPS (if implemented correctly) + PLAINTEXT equals "ZERO security" as you say. First of all, the attacker would need to steal the Consumer Secret in order to get a Request Token, exchange the Request Token for an Access Token, and to use the Access Token. If the Consumer Secret has been compromised, how would using HMAC-SHA1 be any safer than PLAINTEXT? Secondly, Yahoo and many other Service Providers require the Consumer to pre-register the hostname portion of their oauth_callback URL, so an attacker would need to compromise both the consumer secret and be able to exploit the consumer's oauth_callback to steal the oauth_verifier after the user has authorized the consumer. Allen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
