> So we have 2 different communities of Oauth developers that > will never agree. > > SHOULD: Typically the social networking sites that need to > cater for tail end developers by not enforcing TLS on > redirect_uri. It is a risk to think that using strong > language in the spec will help them appreciate the issues > MUST: Typically enterprise organisations (I am in this > camp). They can enforce indirectly by only supporting > registered callback urls and ensure those use TLS
Security is at least as necessary to social networking sites as to enterprise sites. Think about what this means for Facebook. If you are using Wifi in a cafe and use the Facebook login button to log in to any application, a hacker can easily impersonate you. By the way, is somebody from Facebook reading this? If so, this is a vulnerability that Facebook has right now, and you should do something about it. At the very least you should change the examples of redirect URIs in the developer documentation so that they use https rather than http. Francisco
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
