Yeah, that meddling Balfanz just HAD to get in there and mess everything up. Without him, we could have called this the PoNy Protocol...
Google and Microsoft engineers have pooled their efforts to propose a protection against what are known as "replay attacks". These occur when an attacker steals something like a victim's OAuth token and uses it to impersonate them to access otherwise secured resources. The Token Binding Protocol is the next instalment in the …
'scuse me. We need a *groan* response that is neither thumbs up nor down but a nice big LART.
Damn, never having looked at the innards of OAuth, I'm surprised it uses tokens subject to replay attack in the first place.
Why it looks to me like..
.... client certificates stored in a protect storage, like an hardware module?
Reinventing the wheel?
Re: Why it looks to me like..
Why are you storing certificates in an HSM?
Keys you store in an HSM. Certificates are supposed to be public. That's the whole point of certificates.
And the proposal suggests using keys stored in an HSM. They're not reinventing that wheel; they're suggesting you use it.
I think the even bigger problem is.....
users access tokens being handed out to world+dog by the likes of Facebook.
You can even find the API's for grabbing users access tokens inside repackaged apps on third party app stores that are known for delivering malware/adware.
(Remember the Cambridge Survey?)
Never pay on a computer
The real problrm is online payments. Never sign into your bank's website. Do not even get a password for it. Too many risks. You can do telephone banking more securely. On the other hand, it is best to enter the branch. Cash is king--not Google or Microsoft. I don't trust them with my wallet.
Re: Never pay on a computer
And don't drive a car. There is no safe level of car use.