Comments on: draft-hammer-oauth-00 http://blog.mozilla.com/rob-sayre/2008/10/14/draft-hammer-oauth-00/ This Must Be the Place (Naive Melody) Thu, 10 Sep 2009 06:17:03 -0700 http://wordpress.org/?v=2.8.6 hourly 1 By: Rob Sayre’s Mozilla Blog » Blog Archive » Security happenings http://blog.mozilla.com/rob-sayre/2008/10/14/draft-hammer-oauth-00/comment-page-1/#comment-8582 Rob Sayre’s Mozilla Blog » Blog Archive » Security happenings Fri, 31 Oct 2008 21:47:53 +0000 http://blog.mozilla.com/rob-sayre/?p=177#comment-8582 [...] Eran Hammer-Lahav left a comment chiding me for my no-doubt unoriginal point that OAuth seems to encourage phishing. I’m a little disturbed by the thinking behind the objection. Sometimes, proposals have flaws that make them unworkable, and it seems to me that OAuth might have just such a flaw with regard to phishing, at least as it is implemented today. Posted by rsayre Filed in Uncategorized [...] [...] Eran Hammer-Lahav left a comment chiding me for my no-doubt unoriginal point that OAuth seems to encourage phishing. I’m a little disturbed by the thinking behind the objection. Sometimes, proposals have flaws that make them unworkable, and it seems to me that OAuth might have just such a flaw with regard to phishing, at least as it is implemented today. Posted by rsayre Filed in Uncategorized [...]

]]> By: Eran Hammer-Lahav http://blog.mozilla.com/rob-sayre/2008/10/14/draft-hammer-oauth-00/comment-page-1/#comment-8530 Eran Hammer-Lahav Wed, 15 Oct 2008 22:20:15 +0000 http://blog.mozilla.com/rob-sayre/?p=177#comment-8530 Without arguing with your point (which was made many times before and without any real progress on solutions), it is still an overall improvement from just giving your username and password to a third party. In addition, if a site is so concern about redirection in this context, it can give users an "API Key" which they can manually type into the third party application and circumvent the OAuth token flow. It still uses the signature mechanism. The problem with phishing is that so far, no one suggested any half-decent solution. Without arguing with your point (which was made many times before and without any real progress on solutions), it is still an overall improvement from just giving your username and password to a third party.

In addition, if a site is so concern about redirection in this context, it can give users an “API Key” which they can manually type into the third party application and circumvent the OAuth token flow. It still uses the signature mechanism.

The problem with phishing is that so far, no one suggested any half-decent solution.

]]> By: Dan Mosedale http://blog.mozilla.com/rob-sayre/2008/10/14/draft-hammer-oauth-00/comment-page-1/#comment-8528 Dan Mosedale Wed, 15 Oct 2008 18:44:48 +0000 http://blog.mozilla.com/rob-sayre/?p=177#comment-8528 I wonder if there's anything the browser could do on the UI front when it encounters an HTTP redirect that would improve things here... I wonder if there’s anything the browser could do on the UI front when it encounters an HTTP redirect that would improve things here…

]]>