draft-hammer-oauth-00
October 14th, 2008
OAuth is an IETF ID now. Hmm.
Wide deployment of OAuth and similar protocols may cause Users to
become inured to the practice of being redirected to websites where
they are asked to enter their passwords. If Users are not careful to
verify the authenticity of these websites before entering their
credentials, it will be possible for attackers to exploit this
practice to steal Users’ passwords.
Service Providers should attempt to educate Users about the risks
phishing attacks pose, and should provide mechanisms that make it
easy for Users to confirm the authenticity of their sites.
Let the phishing begin.
October 15th, 2008 at 10:44 am
I wonder if there’s anything the browser could do on the UI front when it encounters an HTTP redirect that would improve things here…
October 15th, 2008 at 2:20 pm
Without arguing with your point (which was made many times before and without any real progress on solutions), it is still an overall improvement from just giving your username and password to a third party.
In addition, if a site is so concern about redirection in this context, it can give users an “API Key” which they can manually type into the third party application and circumvent the OAuth token flow. It still uses the signature mechanism.
The problem with phishing is that so far, no one suggested any half-decent solution.
October 31st, 2008 at 1:47 pm
[...] Eran Hammer-Lahav left a comment chiding me for my no-doubt unoriginal point that OAuth seems to encourage phishing. I’m a little disturbed by the thinking behind the objection. Sometimes, proposals have flaws that make them unworkable, and it seems to me that OAuth might have just such a flaw with regard to phishing, at least as it is implemented today. Posted by rsayre Filed in Uncategorized [...]