https://bugzilla.wikimedia.org/show_bug.cgi?id=54110
Web browser: ---
Bug ID: 54110
Summary: Force HTTPS for /token if the Consumer is not using an
RSA key
Product: MediaWiki extensions
Version: master
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: OAuth
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected],
[email protected]
Classification: Unclassified
Mobile Platform: ---
We currently don't require HTTPS for the consumer to get the authorization
token. The auth token's secret is combined with the consumer's secret for an
HMAC signature, so part of the signing key would be known to an attacker if
they can sniff this traffic.
rfc5849 - 2.3 says that:
Since the request results in the transmission of plain text
credentials in the HTTP response, the server MUST require the use of
a transport-layer mechanism such as TLS or SSL (or a secure channel
with equivalent protections).
However, if the Consumer is using an RSA key, then the authorization token's
secret isn't used, so the security isn't affected by not using SSL for the
/token call.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
