IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

David Waite <david@alkaline-solutions.com> Wed, 07 September 2011 18:18 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AC1421F8CA9 for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 11:18:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fVkJ2vSzNHim for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 11:18:25 -0700 (PDT)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [173.255.196.46]) by ietfa.amsl.com (Postfix) with ESMTP id C42D921F8CB3 for <oauth@ietf.org>; Wed, 7 Sep 2011 11:18:23 -0700 (PDT)
Received: from [10.1.1.80] (unknown [205.169.68.218]) by alkaline-solutions.com (Postfix) with ESMTPSA id 05D05315E9; Wed, 7 Sep 2011 18:20:15 +0000 (UTC)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: multipart/signed; boundary="Apple-Mail=_220EC92F-48DD-4F29-A384-E19B9A191429"; protocol="application/pkcs7-signature"; micalg="sha1"
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <4E67B1C3.60306@mtcc.com>
Date: Wed, 07 Sep 2011 12:20:01 -0600
Message-Id: <36ACF4D0-50DA-46B9-84A4-3B4193D79334@alkaline-solutions.com>
References: <4E665B25.6090709@mtcc.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <7D4DF72E-B211-4D41-B447-4CF04E9CB1D8@hueniverse.com> <4E67A710.9070505@alcatel-lucent.com> <4E67A942.1070200@mtcc.com> <D3A6B9B9-AC0A-4D0E-ACA8-AEB1BF8D5ECF@jkemp.net> <4E67B1C3.60306@mtcc.com>
To: Michael Thomas <mike@mtcc.com>
X-Mailer: Apple Mail (2.1244.3)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 18:18:26 -0000

On Sep 7, 2011, at 12:02 PM, Michael Thomas wrote:
> 
> It's not nonsense:
> 
> 1) App prompts me for my credentials to Facebook -- I wonder whether
>    I trust the app.
> 2) App puts me in a Facebook login window -- I figure that it's secure and
>    don't wonder whether I trust the app.
> 
The assumption for #1 is that the app gave you a user experience for entering your facebook credentials that looks different than the actual facebook login window. If the app is malicious, this will most likely not be the case.

The advantage OAuth provides is that it can vet/ban clients which are doing malicious things. However, even a client with no oauth support at all is still capable of providing a realistic-looking login window using an embedded user agent, and capturing the real username/password.

-DW

v2.23.0 | Report a Bug | By Email