Re: [OAUTH-WG] URGENT: WPAD attack exposes URL contents even overHTTPS

PS Using PKCE S256 would prevent this attack on web server clients, as long as the client uses a different PKCE vale for each request.Even if the attacker can observe both the request and response, they would not have the code_verifyer and if replaying the code to the client the client

[OAUTH-WG] URGENT: WPAD attack exposes URL contents even over HTTPS

http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/ Access tokens included as a URL query parameter when accessing a resource are susceptible to this attack. Authorization codes are also visible. From what I know, we have not depended on

Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4749)

Please forgive me if this comment is out of order or inappropriate in any way... ...but why is HTTP Basic even being discussed in 2016? It has horrific security properties at multiple levels; shouldn't we at least move to HTTP Digest if not something stronger? Regards. -- Jim Manico @Manicode

[OAUTH-WG] [Technical Errata Reported] RFC6749 (4749)

The following errata report has been submitted for RFC6749, "The OAuth 2.0 Authorization Framework". -- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6749=4749 -- Type: Technical