security - OAuth and phishing vulnerabilities, are they inexorably tied together? -


I've been doing a fair job with OAuth lately, and I have to say that I really like it. I like the concept, and I like that it provides insertion of a low blocker to connect your users' external data to your site (or to provide a data API for external access to you) private As a matter of fact, I have always attached sites that ask me to login directly to another website from me. And the Oath "Wallet key for web" approach resolves this well.

The biggest problem I (and many others) with it though, standard oath work flow encourages the same type of behavior that phishing attacks use for their benefit, if you use your user It is common practice to be redirected to a site to provide login credentials, so it is easy for the phishing site to take advantage of general practice, but Means to redirect their clone site where they receive their username and password.

  • Are you asking users to login and login to the available site?

    Did you do anything to reduce this problem, or did it? Manually, without automatic link or redirection? (But then the barrier of entry increases)

  • Do you try to educate your users, and if so, when and how? Any long description of security that the user has to read, also increases entry barrier.

What else?

I believe that oh and phishing are at least in the current form of Oeth forbidden are connected. The system exists to stop phishing, the most likely HTTP (stop laughing ...), but obviously it does not work.

There is a very successful attack against the phishing system, for which a username / password congos are required, as long as people use a username and password for authentication phishing, there is always a problem Will be. Using asymmetric cryptography for a better system authentication All modern browsers have built in support for smart cards. You can not fish the card sitting in a wallet and will not leak the private key of the user's desktop. Asymmetric Keypair does not have to be on Smartcard, but I think it creates a strong system, if it is fully implemented in the software.


Comments

Post a Comment

Popular posts from this blog

sql - dynamically varied number of conditions in the 'where' statement using LINQ -

I am using my first project LINQ (in mvc), so maybe there's something very simple that I remember. However, a day of searching and experimenting does not work, so it works. I am trying to write a LINQ query (Linux to SQL) in which in many cases where the statement is different from an OR or an AND. We do not know how many conditions are going in the query till runtime. This search is for filter control, where the user can choose multiple criteria for filtering. Select from table where table.col = 1 or table.col = 2 or table.col = 7 .... 'Other number of conditions Before I just create the SQL query as a string, while looping over all the situations. However, it seems that there should be a good way to do this in LINQ. I tried to use Expression trees, but they had a second thought for this moment on my head, where the lambda function was to be executed inside the statement such as: values ​​for matchingRows = matchingRows for each value Where (function (row) row.c...
Read more

asp.net mvc - Dynamically Generated Ajax.BeginForm -

I have a problem with ASP.NET MVC Ajax forms. I generate many Ajax form in a table such as: & Lt; Input type = "submit" name = "activity" value = "add activity" / & gt; & Lt;%}% & gt; & Lt; / TD & gt; & Lt; / TR & gt; & Lt;%}% & gt; So far so good. When I post one of those forms, it gives a partial view in a div, and in this new partial view a new Ajax Beginnform (which is not in Genesis form) This second Ajax Beginnorf is exactly like the ones I got on the table, but when I post it, I do not get the "Ajax Post", but a normal post that sends me to a new page, I do not know whether the two Ajax forms What is the reason for the difference between, why is it the "dynamically generated" Ajax form behaves like a normal HTML form? By the way, I know that I can do it in different ways using javascript, but I would like to understand whether it can only be done using MVC helplars and Ajax lib...
Read more

Debug on symbian -

I am using trk for phone debug This works well for the Holorld project But when I start the project in phone debug mode 1) the load failed 2) TrkProtocolPlugin: to target the specified file Failure (please verify If any body understands what problem I am experiencing, then this problem helps me Pre-release If the application has the privileges assigned (with the appropriate certificate) itemprop = "text" > In your case, I will check: / li> If there is no conflict of application ID with any other application of device If there are problematic commands in the installation package (for example copy copy for non-accessible directories)
Read more