[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[saag] OAuth Security Advisory

From: Eran Hammer-Lahav <eran at hueniverse.com>
To: "oauth at ietf.net" <oauth at ietf.net>
Cc: "saag at ietf.org" <saag at ietf.org>
Date: Thu, 23 Apr 2009 01:05:37 -0700

Over the past few days a security threat has been identified in the OAuth Core 1.0 protocol. While this is not an IETF protocol, it is being chartered for standardization within the IETF. Before the security threat has been disclosed, the community has been working closely with many vendors to coordinate and help them mitigate the risks involved. The attack cannot be solved without a protocol change.

The OAuth Security Advisory 2009.1 was posted on the OAuth site:

http://oauth.net/advisories/2009-1

For more information on the attack:

http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html

I serve as the community coordinator for this issue. Please feel to contact me in public or private with any concerns.

EHL

Prev by Date: [saag] FCC Communications Security, Reliability, and Interoperability Council
Next by Date: [saag] Draft liaison response to ITU-T re: top 100 security standards
Previous by thread: [saag] FCC Communications Security, Reliability, and Interoperability Council
Next by thread: [saag] Draft liaison response to ITU-T re: top 100 security standards
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.