beckett wrote:
But if you just use PLAINTEXT you as Yahoo! Contacts have absolutely
no idea if its REALLY PLAXO at the other end. It is trivial for any
site to get user to give up data. In which case you might as well not
use OAUTH and just make your data publicly available period. So I
Again, as I acknowledged in response to Richard's point, I was wrong
in assuming that HMAC offers any more protection then PLAINTEXT for
the sort of attacks I had in mind. You are quite right, it does not.
My apologies. Hopefully by broader point did not get lost.
Also, I wonder if in the
Again, as I acknowledged in response to Richard's point, I was wrong
in assuming that HMAC offers any more protection then PLAINTEXT for
the sort of attacks I had in mind. You are quite right, it does not.
My apologies. Hopefully by broader point did not get lost.
Also, I wonder if in the
Yes, I agree, the wording could be rephrased to indicate that the
Consumer's credentials (the consumer secret) as well as the user
credentials Access Token (and access token secret) are not protected
when using PLAINTEXT without HTTPS.
Allen
beckett wrote:
Also, I wonder if in the
Thanks a lot folks for all your inputs.
It sounds like as long as I use SSL the right way, there is no
apparent danger of using PLAINTEXT even though I discard the check for
timestamp and nonce. I am trying to make it easy on our consumers to
use our APIs using OAuth. It sounds like using HTTPS
Hi Guys,
I am not trying to troll with this post, but I do feel that this is
very important if we don't want OAuth to fragment.
I have intentionally been avoiding work with Yahoo's OAuth
implementation until a client of mine asked me to do so. Doing that
I've been working on Yahoo support in the
I rarely speak on behalf of Yahoo! but I find this post misleading and
unnecessarily negative. I was not working for Yahoo! at the time most of this
took place.
Yahoo! approached the community soon after the OAuth specification was
completed to find ways to accommodate their unique
