In which case, nothing the legit server does can help that client. Since they're talking to the evil.
On Wednesday, October 13, 2010, Breno <[email protected]> wrote: > Or a connection to evil will happen. > > On Wed, Oct 13, 2010 at 6:33 PM, Eran Hammer-Lahav <[email protected]> > wrote: >> I don't think so. If you are not running a server on port 80, the connection >> will never happen and nothing bad will be send on the wire. >> >> EHL >> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On Behalf >>> Of William Mills >>> Sent: Wednesday, October 13, 2010 5:05 PM >>> To: Breno; Jeff Lindsay >>> Cc: [email protected] >>> Subject: Re: [OAUTH-WG] Request sent to http: instead of https:` >>> >>> This rather implies that we're specifying running a full server on port 80 >>> as a >>> "stupid detector". We should tread carefully here. >>> >>> > +1 for language in the spec describing how to handle this case >>> > >>> > On Wed, Oct 13, 2010 at 4:12 PM, Jeff Lindsay <[email protected]> >>> > wrote: >>> > >> Hopefully you also invalidate the token (if bearer) since it was >>> > send over >>> > >> an insecure channel. >>> > > >>> > > Excuse my naivety, but perhaps that's worth putting in the spec? >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >> > > > > -- > Breno de Medeiros > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- -- John Panzer / Google [email protected] / abstractioneer.org / @jpanzer _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
