@mzsanford Thanks Matt, no matter what all these other Yahoo's are saying about you, it's appreciated!
(j/k to all you Yahoo's) ;^) -Michael p.s. Is OAuth back on yet? I'd hate to see it start getting the nickname of NOAuth. On Apr 23, 1:43 pm, Chad Etzel <[email protected]> wrote: > On Thu, Apr 23, 2009 at 2:35 PM, Dossy Shiobara <[email protected]> wrote: > > > On 4/23/09 11:33 AM, Chad Etzel wrote: > > >> On Thu, Apr 23, 2009 at 11:19 AM, Dossy Shiobara<[email protected]> > >> wrote: > > >>> An attacker can't get in the middle of an > >>> application communicating to Twitter using HTTP Basic Auth. > > >> WRONG. Anyone doing any sort of packet sniffing could easily get > >> user/pass combos at will. Wireless promiscuous mode + WireShark = > >> instant account hacking. This, of course, holds true only for http > >> transactions (and not https transactions), but there are a good number > >> of clients/apps that don't use the https endpoints. > > > Packet sniffing as an attack vector is significantly more difficult to > > achieve than the OAuth attack is. Defend against the more likely threats > > before worrying about the less likely ones. > > I wholeheartedly disagree. Sit in a tech conference room with a > laptop and sniff away at least a hundred accounts in under 5 minutes. > I'm not saying I've done it, but I'm not saying I haven't, either.... > > > > >> Man in the middle attacks are certainly possible with Basic Auth as > >> well. They just eat the original request, steal the user/pass combo, > >> and do whatever they want with it. > > > This is a standard phishing attack, and standard advice for anti-phishing > > applies here. > > No, phishing != man-in-the-middle. If I hack a router to intercept > all traffic headed toward twitter.com and then grok out the > credentials, this is has nothing to do with social engineering or > phishing... I've just screwed your account, and you have no idea how. > > Obviously there are attack vectors with both methods, but I contend > that Basic Auth is much much much easier to attack than OAuth (even in > its current state, and even moreso when it is upgraded/patched to deal > with this new vector). > > -Chad
