[wp-xmlrpc] Any interest in OAuth?
Joseph Scott
joseph at randomnetworks.com
Wed Jun 18 17:52:42 GMT 2008
On Jun 18, 2008, at 3:40 AM, Joe Cheng wrote:
>> I agree. SSL is the secure way to connect to a server, don’t re-
>> invent
>> SSL in XML-RPC.
>
> Don't think of it as re-inventing SSL. It's XML-RPC protocols that
> re-invented HTTP Auth, except in the worst way possible. I just
> want to negate that epic mistake. :)
Just to note, having XML-RPC not require/depend on/expect to have
working/etc HTTP authentication turned out to be a really good
thing. Why? Because through a sad series of events, it turns out to
not work all the time.
http://joseph.randomnetworks.com/archives/2007/09/19/http-basic-
authentication-a-tale-of-atompub-wordpress-php-apache-cgi-and-ssltls/
While perhaps not the ideal situation that everyone would like,
having XML-RPC not require HTTP authentication has made it much
easier to support in a variety of server environments.
Also, there's nothing in XML-RPC that mandates authentication at all,
or how is should be done. I'm guessing that you're really referring
to the common blog APIs that are built on top of XML-RPC (metaWeblog,
blogger, mt, etc). There's plenty to not be thrilled with there :-)
I'm not claiming that XML-RPC is perfect, or even the best, but it
shouldn't be blamed for what people built on top of it.
>> Whatever you do, you only add complexity to XML-RPC w/o actually
>> making it fully secure.
>
> Yes, SSL/TLS when used properly is the best solution, and we should
> make sure that scenario works when possible (especially
> WordPress.com). But I'm sure the vast majority of WordPress users
> don't have access to a cert that's signed by a trusted authority.
> (Without valid, signed certificates, SSL/TLS is also not fully
> secure, right?--seems like a man-in-the-middle attacker could
> easily get the unencrypted password.) I also suspect that few if
> any web hosts are preconfigured for SSL/TLS, even with self-signed
> certs.
>
>> E.g. if you come up with a challenge/response system (to avoid replay
>> attacks) then you can still be the victim of host spoofing / DNS
>> poisoning. So you also need to verify that you are actually talking
>> with the right server.
>
> We're getting out of my depth here, but for most scenarios, is that
> really going to be a big problem? My main concern here is to
> prevent a malicious attacker from being able to hack the user's
> blog. Stopping eavesdropping would be nice but to me is a distant
> second in terms of importance. I guess you'd need to not only auth
> with challenge/response but also sign the requests so a man-in-the-
> middle can't just change the payload.
>
> Sigh... security is hard. But on the other hand, we are currently
> sending the password in cleartext. At least it can't get any worse,
> right?
> _______________________________________________
> wp-xmlrpc mailing list
> wp-xmlrpc at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-xmlrpc
--
Joseph Scott
joseph at randomnetworks.com
http://joseph.randomnetworks.com/
More information about the wp-xmlrpc
mailing list