Comments on: Why wasn’t OAuth Vulnerability found earlier?

By: donpark

donpark — Wed, 29 Apr 2009 04:21:18 +0000

Matt, while I agree that other protocols had flaws of varying nature, uncovering of fundamental flaws like the OAuth one and DNS one are rare events, often resulting in industry-wide scramble.

Also, I don’t think we should accept incidental trickles of flaw discoveries as the norm when there are actions we can take to improve the process.

IMO, it’s the same with open source projects. OS participants are primarily focused on using, extending, or repurposing the project code which means while bugs are uncovered, security vulnerabilities are rarely found until attack incidents occur or by chance.

So I think some attention should be paid to finding ways or factors to introduce in grassroots initiatives and open source projects that encourages early detection of security vulnerabilities.

By: Matt Brubeck

Matt Brubeck — Wed, 29 Apr 2009 03:24:06 +0000

I don’t think it’s that complicated. There have been all manner of crypto protocols and security protocols that have been in use for years before critical flaws were discovered. Some were developed by standards bodies or subject to academic peer review. The fact is that any flaws left in a system after it’s been reviewed and revised and published can be quite hard to see, even if they’re obvious after someone points them out.

By: Peter Keane

Peter Keane — Wed, 29 Apr 2009 01:25:31 +0000

I recently implemented my first OAuth client and had a slightly uneasy feeling that there was a bit of magic — I couldn’t cleary see how it was truly secure. Fact is, it was pretty darn close — the hole was never exploited (that we know) and steps are being taken to close that hole.

That said, a simple fix will still leave a bit of “magic:” there is an authentication equivalency that is not being addressed (in OAuth terms, that user@consumer == user@service_provider) by way of a properly out-of-band mechanism. I would prefer to see that hole sewn up more definitively — essntially “whitelisting good guys” rather than “blacklisting bad guys” (which can become a game of whack-a-mole). I should note that many knowledgeable folks on the list feel the proposed fix is adequate. Two-legged OAuth, a less common use than the typical Three-legged flavor, is an excellent protocol (the exploit was discovered only in the Three-legged variety), and I suspect we’ll see more adoption as a stand-in for HTTP Basic & HTTP Digest authentication.