[wp-xmlrpc] Any interest in OAuth?

[Joe Cheng]

> I agree. SSL is the secure way to connect to a server, don’t re-invent
> SSL in XML-RPC.

Don't think of it as re-inventing SSL. It's XML-RPC protocols that re-invented HTTP Auth, except in the worst way possible. I just want to negate that epic mistake. :)

> Whatever you do, you only add complexity to XML-RPC w/o actually
> making it fully secure.

Yes, SSL/TLS when used properly is the best solution, and we should make sure that scenario works when possible (especially WordPress.com). But I'm sure the vast majority of WordPress users don't have access to a cert that's signed by a trusted authority. (Without valid, signed certificates, SSL/TLS is also not fully secure, right?--seems like a man-in-the-middle attacker could easily get the unencrypted password.) I also suspect that few if any web hosts are preconfigured for SSL/TLS, even with self-signed certs.

> E.g. if you come up with a challenge/response system (to avoid replay
> attacks) then you can still be the victim of host spoofing / DNS
> poisoning. So you also need to verify that you are actually talking
> with the right server.

We're getting out of my depth here, but for most scenarios, is that really going to be a big problem? My main concern here is to prevent a malicious attacker from being able to hack the user's blog. Stopping eavesdropping would be nice but to me is a distant second in terms of importance. I guess you'd need to not only auth with challenge/response but also sign the requests so a man-in-the-middle can't just change the payload.

Sigh... security is hard. But on the other hand, we are currently sending the password in cleartext. At least it can't get any worse, right?