Loading ...
Sorry, an error occurred while loading the content.

Re: [sasl_oauth] Can we require Referrer on a password flow?

Expand Messages
  • Brian Eaton
    ... No popular IMAP clients actually support that, though. =(
    Message 1 of 10 , Jun 2, 2010
    View Source
    • 0 Attachment
      On Wed, Jun 2, 2010 at 2:29 PM, Tim Showalter <timshow@...> wrote:
      >> OAuth lets you drop in stronger forms of authentication. For example,
      >> OTPs, or SSL client certificates. These kinds of credentials make
      >> phishing attacks much more difficult.
      >
      > I don't buy this argument.
      >
      > Plain SASL already supports OTP and dozens of other mechanisms.
      >
      > IMAP, in particular, has built-in support for out-of-band
      > authenticiation like client side certificates -- see PREAUTH.  If I
      > recall correctly, there's a SASL mechanism that adds out-of-band
      > authentication, specifically SSL client-side certs, to other SASL
      > protocols as well.

      No popular IMAP clients actually support that, though. =(
    • Allen Tom
      I¹m dating myself, but AOL used to have an IMAP client called AOL Communicator that supported OTP+Password ­ it suffered severe usability problems since the
      Message 2 of 10 , Jun 2, 2010
      View Source
      • 0 Attachment
        Re: [sasl_oauth] Can we require Referrer on a password flow? I’m dating myself, but AOL used to have an IMAP client called AOL Communicator that supported OTP+Password – it suffered severe usability problems since the user would be prompted to enter their credentials every few hours.

        One of the benefits to SASL/OAuth is that Mail providers will have the ability to authenticate the user once using an OTP/Password using the browser – and have that credential permanently stored on the client using an Oauth access token – so the user only needs to enter the OTP once in order to provision their mail client.

        Allen


        On 6/2/10 2:31 PM, "Brian Eaton" <beaton@...> wrote:
          

        On Wed, Jun 2, 2010 at 2:29 PM, Tim Showalter <timshow@... <mailto:timshow%40yahoo-inc.com> > wrote:

        >
        > Plain SASL already supports OTP and dozens of other mechanisms.
        >
        > IMAP, in particular, has built-in support for out-of-band
        > authenticiation like client side certificates -- see PREAUTH.  If I
        > recall correctly, there's a SASL mechanism that adds out-of-band
        > authentication, specifically SSL client-side certs, to other SASL
        > protocols as well.

        No popular IMAP clients actually support that, though. =(
         
      • Allen Tom
        So Bill and I had a quick chat about this scenario. Currently, users who mistype their imap/smtp server hostnames when configuring their mail client end up
        Message 3 of 10 , Jun 3, 2010
        View Source
        • 0 Attachment
          Re: [sasl_oauth] Can we require Referrer on a password flow? So Bill and I had a quick chat about this scenario. Currently, users who mistype their imap/smtp server hostnames when configuring their mail client end up sending their passwords to the wrong server.

          Similarly, when using the OAuth2 username/password flow, the user will still send their passwords to the wrong server, even if the Referrer is sent along with the request. I don’t think there’s really much that can be done in this case.

          Allen



          On 6/2/10 12:30 PM, "William Mills" <wmills@...> wrote:

           
          It's no different.  If the user wants to give away their password to a phish they can.  We can try to do something about it, the question is whether it's worthwhile and effective?

             
        Your message has been successfully submitted and would be delivered to recipients shortly.