WeChat ID
aaronpk_tv
-
Just found out that @juliensolomita used my suggestion in his most recent video to do a mac + cheese tasteoff and I am STOKED. Because I love nothing more than some vegan mac. https://www.youtube.com/watch?v=EBv5A7NC2eI
-
at Gate 27San Jose, California • Thu, May 2, 2019 5:20pm -
alianora
https://cybre.space/@nightpool
•
May 2
@aaronpk Yep, but in that case the attacker controls the redirect uri right? how can the attacker control the redirect uri without also controlling the pkce secret?
I'm trying to explain this in 200 character chunks but it clearly isn't working. I also can't find an existing page quickly that explains it better, so clearly I need to properly write it up. -
Nico Kaiser
https://twitter.com/nicokaiser
•
May 2
... assuming I can control what JS code runs on my site (which is a different problem), this should be safe, right?
That's a big assumption (you don't know what browser extensions the user is using) but yes that's one way to be more confident. I wouldn't use absolute terms like "safe" though. "Less risky" maybe. -
alianora
https://cybre.space/@nightpool
•
May 2
@aaronpk you linked to "Insufficient Redirect URI Validation" though? maybe i'm just confused about what you were talking about.
Right, that's one way to steal data out of the redirect even if the browser is doing everything right.
The attacker creates a redirect url at the hostname of the real app but uses an endpoint on the app that can then redirect to the attackers app. Chaining the redirects using an open redirector. -
alianora
https://cybre.space/@nightpool
•
May 2
@aaronpk Yes, i get that, but the attacker can make the access token request just as easily as the legitimate client.
No it can't, because the attacker won't have the PKCE secret at that point. (We're talking about the case where the code is stolen out of the redirect through one of many mechanisms) -
alianora
https://cybre.space/@nightpool
•
May 2
@aaronpk no, I understand that one, I just still don't see how pkce helps improper redirect validation (since the pkce secret and redirect URI come from the same request)
PKCE makes the auth code useless if it's stolen. In PKCE the secret isn't sent out until the access token request. -
Biggest laugh at #IIW so far: when @justin__richer in his session on “Is #selfsovereignidentity really possible” turned to Dave Crocker and said that we can all blame him for the Internet not having #security built in from the start.
-
At #IIW session on “Is #selfsovereignidentity really possible”, @xmlgrrl Eve Maler offers perhaps the most concise definition of of #privacy I’ve ever heard: “Privacy is context-controlled choice and respect.” Beautiful. And I believe actually possible with #SSI.
-
In @justin__richer’s #IIW “DIDn’t” session: Once more with feeling: Privacy is not secrecy; privacy is not encryption; privacy is context, control, choice, and respect.
-
alianora
https://cybre.space/@nightpool
•
May 2
@aaronpk huh? But the redirect_uri is controlled by the same person who controls the code_challenge
That particular attack doesn't assume a malicious browser, that one is improper redirect uri validation. I should probably just write up better explanations of all the attacks in that document but they are all described there. -
San Jose, California • Thu, May 2, 2019 3:57pm
-
San Jose, California • Thu, May 2, 2019 3:48pm
-
San Jose, California • Thu, May 2, 2019 3:43pm
-
Taxi
10.54miDistance34:47DurationStartEnd
