On Wed, Jun 21, 2023 at 8:55 PM Michael Thomas <mike@xxxxxxxx> wrote:
On 6/21/23 2:19 AM, Raghu Saxena wrote:
> Unfortunately I don't think it is remotely possible to educate the general public enough about Oauth and why using a browser to authenticate is important. The RFC even recommends "in app browsers", which are not secure at all. I mean after all, TikTok was previously injecting JS into websites via their website to log keystrokes "for debugging purposes" (Ref: https://www.macrumors.com/2022/08/18/felix-krause-in-app-browser-_javascript_-tool/)
>
> People are trusting in general, and Oauth via a native app looks natural enough, that it is trivial to phish credentials in such a manner. In fact there are quite convincing Steam phishing attacks that seem to be prompting for Oauth, but they actually just generate a "browser window" in the fake website via pure CSS/JS.
>
> Anyway, I don't think an RFC can really solve it, since Oauth 2.0 is already everywhere.
I agree that the horse has long escaped the barn, but making a BCP makes
it sound like the horse is still there. IETF can make the BCP historic
though and better it should document how flawed OAUTH and its
assumptions are in the real world. It's amazing to me that it isn't
exploited more in the real world. Or maybe it is and we just don't know
about it. Yet. The powers that be didn't care when I first brought this
up, and they will probably not care this time around either.
You maybe brought it up within discussion only but not in presentation/doc to WG.
Updating 8252 with you authoring new_draft proposal/input can get interest to adapt it,
and as long as 8252 is used/BCP then the best choice is to make update_input (i.e. as you mentioned before re_write).
best wishes,
AB
