Problem with nonces and HTTP GET
Andrew Arnott
andrewarnott at gmail.com
Thu Jan 28 05:41:10 UTC 2010
John,
Can you help me understand the risk of a replay if SSL protected the message
such that you have very high confidence that the only person who could be
replaying it is the person who should be able to log in anyway?
IOW, what's the problem with replay if there's no chance of MITM attacks?
On the other hand, I'm not entirely convinced that nonces are all that
useful, since any MITM could also conceivably *pre*play the message, and get
in anyway. Encryption seems to really be the best/only mitigation.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Wed, Jan 27, 2010 at 5:22 PM, John Bradley <john.bradley at wingaa.com>wrote:
> I think it has been increased. It would probably be a boon to the internet
> if all versions of IE prior to 8 are deprecated.
>
> However I have a hart time seeing websites turning people away due to old
> browsers.
>
> It is possible for a IdP to detect the browser and use GET up to 4K + if it
> is safe.
>
> That won't solve the problem that nonces do what they are supposed to and
> prevent token resubmission.
>
> John B.
> On 2010-01-27, at 10:12 PM, Henrik Biering wrote:
>
> >
> > John Bradley wrote:
> >>
> >> The other alternative is to ban IE because it is the source of the 2K
> limit for GET.
> >> Not a problem for FF or other browsers.
> > Although I cannot find any official documentation, it seems that the
> traditional 2K limit for IE GET requests has been increased significantly
> in IE8
> >
> > =henrik
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100127/58a850a0/attachment.htm>
More information about the specs
mailing list