I think signed requests include a nonce and a timestamp that you can used to defend against replay attacks. So even if somebody got their hands on an old signed request, you could defend against it.
From the OAuth spec: "A nonce is a random string, uniquely generated for each request. The nonce allows the Service Provider to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel (such as HTTP)." http://oauth.googlecode.com/svn/spec/branches/1.0/drafts/6/spec.html#signing_process If bad people have access to your web server logs, aren't you already pwned? [Disclaimer: I haven't used signed requests yet and don't know much about OAuth] On Apr 2, 11:12 am, "Luciano Ricardi" <[EMAIL PROTECTED]> wrote: > When using the SIGNED authorization type in a "makeRequest()" call, the > signature that are sent in the request parameters url are logged in our Web > Server log file. So, if someone (maybe a bad person) accesses these logs, > they could use this URL to send a direct access to my application and > obtaining the "trusted" content. In time, if someone is "eyesdropping" my > network perimeter, they could obtain this url too. > > Is that right? If yes, is there some workarounds to do this transaction > secure? > > Thanks, > > Luciano R. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
