Though not of course the body of a POST, unless it is form encoded data, which merely pushes the problem of canonicalization (and thus interoperability) outside the spec.
On Monday, March 8, 2010, Dick Hardt <[email protected]> wrote: > > On 2010-03-08, at 6:39 PM, Ethan Jewett wrote: > >> Request hijacking: I actually significantly understated the protection >> against request hijacking that that the HMAC-SHA1 method of OAuth 1.0a >> provides. In the worst case, a MITM can hijack a request but cannot >> change the request method, URL, query parameters, nonce, or timestamp. >> In the best case (a single-part form-encoded request body or a request >> consisting only of query parameters), the MITM cannot modify the >> request at all because it is fully signed. It is not true, as Dick >> contends, that a MITM who has captured a signed OAuth 1.0a request can >> use a signed access token as if it were a bearer token. It is far more >> limited in the worst case, and useless in the best case. > > After reviewing the 3.4 of draft-hammer-oauth I see that the query string is > part of the string being signed, minimizing the attack surface. Thanks for > pointing out my misunderstanding. > > -- Dick > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- -- John Panzer / Google [email protected] / abstractioneer.org / @jpanzer _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
