You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One neat thing that we might want to think about in the future is echoing GitHub's authorization API: you can use basic auth to request an oauth token, so you don't have to go through the full oauth dance. :)
You can use basic auth to acquire an application token. However, the reason this is secure is that the random handshaking oauth uses to ensure no replay attacks can occur is superseded by ssl. So, if you do this, ensure that you check that the credentials are correct AND that the request was made over ssl. This cannot be used on any nodes that elect not to have an ssl cert. :)
OAuth is equivalent basically to basic auth + ssl in terms of attack area. You attack the initial handshake for OAuth, or you attack the initial handshake for ssl, and you could see the information passed on subsequent requests. shrug If people elect not to have SSL, OAuth is severely better than nothing, and due to using a random number and an HMAC can be used without SSL. Pessimistically speaking, both approaches are rather broken on a security level, but do obscure passwords in the common case. Also, the government probably has every SSL private key. :) :) :C
Yeah, totally. It will be insecure if the eavesdropper witnesses the handshake. SSL is broken if the eavesdropper can inject a cert or knows the private key. shrug :) But SSL would solve the problem of witnessing the key exchange at the OAuth layer by pushing the problem down a layer. It is theoretically impossible to solve the key exchange problem, so OAuth placed it out-of-scope and gives responsibility to SSL, which solves it poorly. :D :D :D
OAuth says that SSL MUST be used to get the token_secret, which makes sense, so you'd be correct that it should reject requests not over SSL regardless. Hmm, in that case, is OAuth nothing more than a glorified redirect? I now have newfound lulz over that spec.
The text was updated successfully, but these errors were encountered:
From discussion in #692:
@steveklabnik:
@wilkie:
@steveklabnik:
@wilkie:
@steveklabnik:
@wilkie:
The text was updated successfully, but these errors were encountered: