back to article Google and Microsoft boffins playing nicely together to stop replay attacks in their tracks

Google and Microsoft engineers have pooled their efforts to propose a protection against what are known as "replay attacks". These occur when an attacker steals something like a victim's OAuth token and uses it to impersonate them to access otherwise secured resources. The Token Binding Protocol is the next instalment in the …

Silver badge
Trollface

Yeah, that meddling Balfanz just HAD to get in there and mess everything up. Without him, we could have called this the PoNy Protocol...

1
0
Silver badge
Stop

'scuse me. We need a *groan* response that is neither thumbs up nor down but a nice big LART.

Damn, never having looked at the innards of OAuth, I'm surprised it uses tokens subject to replay attack in the first place.

2
0
Anonymous Coward

pony baaaaa

0
0
Anonymous Coward

Why it looks to me like..

.... client certificates stored in a protect storage, like an hardware module?

Reinventing the wheel?

0
0
Silver badge

Re: Why it looks to me like..

Why are you storing certificates in an HSM?

Keys you store in an HSM. Certificates are supposed to be public. That's the whole point of certificates.

And the proposal suggests using keys stored in an HSM. They're not reinventing that wheel; they're suggesting you use it.

0
0
Anonymous Coward

I think the even bigger problem is.....

users access tokens being handed out to world+dog by the likes of Facebook.

You can even find the API's for grabbing users access tokens inside repackaged apps on third party app stores that are known for delivering malware/adware.

(Remember the Cambridge Survey?)

3
0
Holmes

Never pay on a computer

The real problrm is online payments. Never sign into your bank's website. Do not even get a password for it. Too many risks. You can do telephone banking more securely. On the other hand, it is best to enter the branch. Cash is king--not Google or Microsoft. I don't trust them with my wallet.

0
0

Re: Never pay on a computer

And don't drive a car. There is no safe level of car use.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018