Or a connection to evil will happen. On Wed, Oct 13, 2010 at 6:33 PM, Eran Hammer-Lahav <[email protected]> wrote: > I don't think so. If you are not running a server on port 80, the connection > will never happen and nothing bad will be send on the wire. > > EHL > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of William Mills >> Sent: Wednesday, October 13, 2010 5:05 PM >> To: Breno; Jeff Lindsay >> Cc: [email protected] >> Subject: Re: [OAUTH-WG] Request sent to http: instead of https:` >> >> This rather implies that we're specifying running a full server on port 80 >> as a >> "stupid detector". We should tread carefully here. >> >> > +1 for language in the spec describing how to handle this case >> > >> > On Wed, Oct 13, 2010 at 4:12 PM, Jeff Lindsay <[email protected]> >> > wrote: >> > >> Hopefully you also invalidate the token (if bearer) since it was >> > send over >> > >> an insecure channel. >> > > >> > > Excuse my naivety, but perhaps that's worth putting in the spec? >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >
-- Breno de Medeiros _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
