Security is never about stopping 100% of attacks, since that's ... • Aaron Parecki

alianora https://cybre.space/@nightpool • May 2
@aaronpk sure, but a malicious browser could also save the entire js state to disk in exactly the same way (and some do a limited version of this for caching purposes). so it's hard for me to think of that as a security benefit? this is only more secure if everyone along the line behaves exactly in the way you expect it to

Security is never about stopping 100% of attacks, since that's impossible. It's about mitigating risk, and reducing the attack surface.

It's worth reading this whole document even if it is a bit terse. Here's a good example of an unexpected attack on the Implicit flow: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-4.1

Sunnyvale, California • 49°F

Thu, May 2, 2019 3:30pm -07:00

2 replies
Have you written a response to this? Let me know the URL:
- alianora cybre.space/@nightpool
  
  @aaronpk I totally agree about security being about mitigating risk! I'm just really trying to understand the risks at play here since the ones you've been talking about seem really far fetched and hard to understand to me. If you think your browser or it's cloud is a risk, then you just shouldn't be using it, full stop.
  
  Thu, May 2, 2019 10:57pm +00:00
- alianora cybre.space/@nightpool
  
  @aaronpk isn't the section you linked to just as much of a concern under the authorization code flow as the implicit flow? since javascript clients are public clients no matter what?
  
  Thu, May 2, 2019 10:38pm +00:00

Posted in /replies using monocle.p3k.io