WeChat ID
aaronpk_tv
-
alianora
https://cybre.space/@nightpool
•
May 2
@aaronpk but the browser is also the one executing the code that's verifying whether the browser transferred the data correctly? maybe a concrete attack would help me get my head around this better
Think of it from the PoV of the thing sending the access token. It wants to make sure the AT ends up in the client and isn't stolen along the way. It can't trust the browser's address bar because the browser isn't the thing it's sending the token to, the code in the browser is. -
alianora
https://cybre.space/@nightpool
•
May 2
@aaronpk but the browser is also the one executing the code that's verifying whether the browser transferred the data correctly? maybe a concrete attack would help me get my head around this better
Here's one: The access token is sent in the address bar, so it becomes part of the browser history. This will be written to disk, and possibly even synced to the browser's "cloud" and then even synced down to other devices. -
alianora
https://cybre.space/@nightpool
•
May 2
@aaronpk sorry I guess I should have specified "with https". doesn't https' security model encompass this one?
Nope because the browser is still an unknown there, at least from the point of view of the sender of the sensitive data. -
alianora
https://cybre.space/@nightpool
•
May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?
Think of it this way: The server is trying to send some sensitive data to the application, but has no direct communication channel, and instead has to trust some other piece of software (the browser) to deliver it. -
alianora
https://cybre.space/@nightpool
•
May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?
An easy example to see is captive wifi portals where the network intercepts DNS requests and returns a different answer. -
alianora
https://cybre.space/@nightpool
•
May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?
That's the classic problem with the front-channel (sending data over HTTP redirects in a browser). The sender has no way to know if the receiver got the data, and has no way to tell if it was stolen or copied. -
Browser APIs have gotten so much better lately! Way easier to do @oauth_2 PKCE in a browser now:
✅ good random number generators
✅ secure hashing functions
Just missing a good base64 encoding function. (Check out the ugly hack in the post.)
https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead#begin-the-pkce-request -
Mountain View, California • Thu, May 2, 2019 7:54am
-
-
at Hotel VueMountain View, California • Thu, May 2, 2019 7:29am
-
-
-
AsleepAwake8h 03mSlept23mAwake for
-
current status: wrapped up the web standards meeting for the day, and now watching the recording of yesterday's Planning and Sustainability Commission meeting in Portland, a different kind of standards meeting.
what? I don't have too many projects *you* have too many projects -
Now that the conference is over, I can finally relax and watch the talks from the comfort of my living room sofa.
#ml4all #conference #machinelearning #appletv
-
at Hotel VueMountain View, California • Wed, May 1, 2019 8:42pm
-
Taxi
3.11miDistance6:41DurationStartEnd
