Last modified: 2013-09-30 14:24:03 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T56110, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 54110 - Force HTTPS for /token if the Consumer is not using an RSA key
Force HTTPS for /token if the Consumer is not using an RSA key
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
OAuth (Other open bugs)
master
All All
: Unprioritized normal (vote)
: ---
Assigned To: Chris Steipp
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-14 00:24 UTC by Chris Steipp
Modified: 2013-09-30 14:24 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Chris Steipp 2013-09-14 00:24:10 UTC 
We currently don't require HTTPS for the consumer to get the authorization token. The auth token's secret is combined with the consumer's secret for an HMAC signature, so part of the signing key would be known to an attacker if they can sniff this traffic.

rfc5849 - 2.3 says that:

   Since the request results in the transmission of plain text
   credentials in the HTTP response, the server MUST require the use of
   a transport-layer mechanism such as TLS or SSL (or a secure channel
   with equivalent protections).

However, if the Consumer is using an RSA key, then the authorization token's secret isn't used, so the security isn't affected by not using SSL for the /token call.
Comment 1 Brad Jorsch 2013-09-20 15:27:54 UTC 
(In reply to comment #0)
> However, if the Consumer is using an RSA key, then the authorization token's
> secret isn't used, so the security isn't affected by not using SSL for the
> /token call.

What about the token credentials returned in the response? Those are still plain text.
Comment 2 Gerrit Notification Bot 2013-09-20 15:30:08 UTC 
Change 85218 had a related patch set uploaded by Anomie:
Use HTTPS for Special:MWOAuth/token

https://gerrit.wikimedia.org/r/85218
Comment 3 Gerrit Notification Bot 2013-09-28 19:24:54 UTC 
Change 85218 merged by jenkins-bot:
Use HTTPS for Special:MWOAuth/token

https://gerrit.wikimedia.org/r/85218
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links