Why is OAuth so popular
OAuth (Open Authorization)
That even a system designed for the protection of personal data like OAuth cannot be one hundred percent perfect was already shown in April 2009 when a security breach has been discovered. As with many other such systems, phishing is also a constant risk: between April and May 2017, one million Gmail users were victims of one OAuth-based phishing attack. In a fraudulent email, they were asked to give their authorization via a fake interface in order to allow an alleged application called “Google Apps” to access their account data.
The development of the successor version OAuth2 should therefore not only facilitate the implementation of the increasingly complex protocol, but also increase its security. In October 2012, the associated efforts came to a final result - but without the approval of those developers who had helped with the original OAuth at the time. Only the senior OAuth2 editor Eran Hammer-Lahav had worked on the old OAuth - and myself he finally distanced himself from the new project, three months before publication. In an article on his blog hueniverse.com from July 26, 2012, he explained the background to his decision and referred to OAuth 2.0 in the headline as "Way to Hell".
What happened? According to Hammer-Lahav, the development of the new protocol was determined by constant debates between the developers and the companies involved (including Yahoo !, Google, Twitter and Deutsche Bank). Disputes are mostly in favor of economic interests at some point been ignored. The consequence is a protocol that, according to Hammer-Lahav, should no longer be referred to as such. Because instead of presenting a narrowly defined standard, OAuth2 is at most one Frameworkthat can be adapted and expanded at will. With this, OAuth2 would have lost the feature of interoperability - different OAuth2 implementations are not necessarily compatible with each other.
Hammer-Lahav regrets one more thing: The fact that they have opted for a simpler implementation (for example by omitting signatures) leads to one Lack of security. In order to be able to program a secure application that supports OAuth2, developers would have to bring a considerable amount of expertise. It is therefore more likely that the future will be simple pile up unsafe applications in the network would. Implementation errors are unavoidable given the incomplete and overly complex specifications, said Hammer-Lahav.
Hammer-Lahav was at least partially right about his fears: In 2016, a research group from the University of Trier dealt with the security of OAuth2 for the first time and discovered two security gaps. One of them enabled man-in-the-middle attacks. In principle, however, the researchers rated the protocol as relatively safe - provided that it is implemented correctly. The team behind OAuth2 has already fixed the vulnerabilities according to its own information. For many IT experts, however, the research report gave rise to articles to delve into the secure use of OAuth 2.0.
- Why is Arabic very unpopular
- What is your favorite unknown font?
- Who does SEO training in Chennai
- Quora would be better without anonymous questions
- How is phosphorus formed
- Narcissists are often nice people
- What is a photocell light
- Why can't I ask myself why
- Chemotherapy causes immense pain
- Do you have telekinesis
- How successful is StartUp NY
- What counts as a front yard
- Why is the Canadian maple not green
- Who got the first Nobel Prize
- Why do you long for happiness?
- What is 9 5 10
- Which Pokemon cannot be caught by anyone
- What do ant bites look like
- Why wasn't America discovered sooner?
- What is 1000 DPI
- Why did Cerner buy Siemens Health Services
- Do you like comfortable pajamas
- What is salary wrapping
- How was your last injury