Re: [OAUTH-WG] web sso study...
John Bradley <ve7jtb@ve7jtb.com> Tue, 17 April 2012 14:57 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B11C21F8551 for <oauth@ietfa.amsl.com>; Tue, 17 Apr 2012 07:57:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.901
X-Spam-Level:
X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[AWL=0.698, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDDoywqqGoBk for <oauth@ietfa.amsl.com>; Tue, 17 Apr 2012 07:57:29 -0700 (PDT)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3A3E411E8080 for <oauth@ietf.org>; Tue, 17 Apr 2012 07:57:28 -0700 (PDT)
Received: by wibhj6 with SMTP id hj6so500058wib.13 for <oauth@ietf.org>; Tue, 17 Apr 2012 07:57:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=dOpFgJFrd+QA/LEt2VTSc//O13VWt+oyu0yHHzZbgAE=; b=VCQHCWfHwp0Yk92u5TTqkOfMJ38sgXKfr5fZbevFCQ5v+ZXpMb/rtclXR2F1qmY9gQ Im0rsIXph6YfDcz11gszEbihYZDWti/YOuwbpfDIxBuCCyrd4SFiISAExeSeNCQiy0Qa miiK8RdTi9ilC02Pm1ya0yVIdyFCJqZCVjBM/bQ/hVteAZd/J7xQ5lPwOVmStotaWfsA q3kb8BqegY/dbJ8nfMSQdrXHyVRyDv3TJYCNUp03JFwc1LHc+KmKafaZDjt6ehT1St/p TVzGQKmm1ufkkc3WHINssAc3cm9VeBeOF3BtqFQPmbgClu7mckuqHZo0DW+04z9zGzKb GUfw==
Received: by 10.180.81.166 with SMTP id b6mr8022037wiy.0.1334674648310; Tue, 17 Apr 2012 07:57:28 -0700 (PDT)
Received: from [10.6.1.133] (nat-VI.gw1.ush2.tnib.de. [86.110.65.2]) by mx.google.com with ESMTPS id u9sm27428062wix.0.2012.04.17.07.57.25 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 17 Apr 2012 07:57:25 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_D66F8AAA-D486-4EB7-98DD-1B967044B786"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <4F8D8208.5040001@cs.tcd.ie>
Date: Tue, 17 Apr 2012 16:57:24 +0200
Message-Id: <E459D26C-7FD4-4AEF-9307-FA7A9BD0EE5A@ve7jtb.com>
References: <4F8D8208.5040001@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQnUktCZsVHm180VrmOjil8JorOkGs8wm7IwdpVIpKJ4izM3ExGADOXTU60cytmJXmIubJHn
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] web sso study...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2012 14:57:34 -0000
I posted to my blog about a significant implementation flaw made by people using Facebook's OAuth 2 implementation. I understand that Facebook is fixing it in there own code, but many clients are exploitable. For those interested. http://www.thread-safe.com/2012/04/followup-on-oauth-facebook-login.html The flaw is not in the spec but in implementations. John B. On 2012-04-17, at 4:45 PM, Stephen Farrell wrote: > > Hi all, > > A recent news article [1] was brought to my attention this week > that's about a paper [2] which I've just read. While it mostly > deals with implementation and integration flaws, I'm wondering > if there's anything in there that could benefit any of the > oauth drafts. Anyone had a look at that already? > > Be interesting if any similar analysis has been done on any > oauth 1.0 or 2.0 sites or implementations. > > Ta, > S. > > [1] http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=66741 > [2] https://research.microsoft.com/pubs/160659/websso-final.pdf > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] web sso study... Stephen Farrell
- Re: [OAUTH-WG] web sso study... John Bradley
- Re: [OAUTH-WG] web sso study... William Mills
- Re: [OAUTH-WG] web sso study... =JeffH