back to article Google and Microsoft boffins playing nicely together to stop replay attacks in their tracks

Google and Microsoft engineers have pooled their efforts to propose a protection against what are known as "replay attacks". These occur when an attacker steals something like a victim's OAuth token and uses it to impersonate them to access otherwise secured resources. The Token Binding Protocol is the next instalment in the …

  1. DropBear

    Yeah, that meddling Balfanz just HAD to get in there and mess everything up. Without him, we could have called this the PoNy Protocol...

    1. Nick Kew

      'scuse me. We need a *groan* response that is neither thumbs up nor down but a nice big LART.

      Damn, never having looked at the innards of OAuth, I'm surprised it uses tokens subject to replay attack in the first place.

    2. Anonymous Coward
      Anonymous Coward

      pony baaaaa

  2. Anonymous Coward
    Anonymous Coward

    Why it looks to me like..

    .... client certificates stored in a protect storage, like an hardware module?

    Reinventing the wheel?

    1. Michael Wojcik Silver badge

      Re: Why it looks to me like..

      Why are you storing certificates in an HSM?

      Keys you store in an HSM. Certificates are supposed to be public. That's the whole point of certificates.

      And the proposal suggests using keys stored in an HSM. They're not reinventing that wheel; they're suggesting you use it.

  3. Anonymous Coward
    Anonymous Coward

    I think the even bigger problem is.....

    users access tokens being handed out to world+dog by the likes of Facebook.

    You can even find the API's for grabbing users access tokens inside repackaged apps on third party app stores that are known for delivering malware/adware.

    (Remember the Cambridge Survey?)

  4. Tree

    Never pay on a computer

    The real problrm is online payments. Never sign into your bank's website. Do not even get a password for it. Too many risks. You can do telephone banking more securely. On the other hand, it is best to enter the branch. Cash is king--not Google or Microsoft. I don't trust them with my wallet.

    1. Jim Birch

      Re: Never pay on a computer

      And don't drive a car. There is no safe level of car use.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like