Unfortunately, WE have to check this "timestamp" from ouserlves. This came from the same doc that you sent... ( http://oauth.googlecode.com/svn/spec/branches/1.0/drafts/6/spec.html#signing_process )
"The Service Provider verifies the signature as specified in each method. When verifying a Consumer signature, the Service Provider SHOULD check the request nonce to ensure it has not been used in a previous Consumer request." Well, so when using MakeRequest, WE have to do some code routines to block the replay attacks. I think this information should be more evident in the API Documentation. Am I right? Thanks, Luciano R. PS: The log files could be, for example, sent to a remote server for statistics processing. So, I'm not pwned! :) On Thu, Apr 3, 2008 at 4:25 AM, Keaka <[EMAIL PROTECTED]> wrote: > > I think signed requests include a nonce and a timestamp that you can > used to defend against replay attacks. So even if somebody got their > hands on an old signed request, you could defend against it. > > From the OAuth spec: > "A nonce is a random string, uniquely generated for each request. The > nonce allows the Service Provider to verify that a request has never > been made before and helps prevent replay attacks when requests are > made over a non-secure channel (such as HTTP)." > > > http://oauth.googlecode.com/svn/spec/branches/1.0/drafts/6/spec.html#signing_process > > If bad people have access to your web server logs, aren't you already > pwned? > > [Disclaimer: I haven't used signed requests yet and don't know much > about OAuth] > > On Apr 2, 11:12 am, "Luciano Ricardi" <[EMAIL PROTECTED]> wrote: > > When using the SIGNED authorization type in a "makeRequest()" call, the > > signature that are sent in the request parameters url are logged in our > Web > > Server log file. So, if someone (maybe a bad person) accesses these > logs, > > they could use this URL to send a direct access to my application and > > obtaining the "trusted" content. In time, if someone is "eyesdropping" > my > > network perimeter, they could obtain this url too. > > > > Is that right? If yes, is there some workarounds to do this transaction > > secure? > > > > Thanks, > > > > Luciano R. > > > -- Luciano --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
