[wp-xmlrpc] Any interest in OAuth?

Joseph Scott joseph at randomnetworks.com
Wed Jun 18 17:52:42 GMT 2008 

On Jun 18, 2008, at 3:40 AM, Joe Cheng wrote:

>> I agree. SSL is the secure way to connect to a server, don’t re- 
>> invent
>> SSL in XML-RPC.
>
> Don't think of it as re-inventing SSL. It's XML-RPC protocols that  
> re-invented HTTP Auth, except in the worst way possible. I just  
> want to negate that epic mistake. :)

Just to note, having XML-RPC not require/depend on/expect to have  
working/etc HTTP authentication turned out to be a really good  
thing.  Why?  Because through a sad series of events, it turns out to  
not work all the time.

	http://joseph.randomnetworks.com/archives/2007/09/19/http-basic- 
authentication-a-tale-of-atompub-wordpress-php-apache-cgi-and-ssltls/

While perhaps not the ideal situation that everyone would like,  
having XML-RPC not require HTTP authentication has made it much  
easier to support in a variety of server environments.

Also, there's nothing in XML-RPC that mandates authentication at all,  
or how is should be done.  I'm guessing that you're really referring  
to the common blog APIs that are built on top of XML-RPC (metaWeblog,  
blogger, mt, etc).  There's plenty to not be thrilled with there :-)

I'm not claiming that XML-RPC is perfect, or even the best, but it  
shouldn't be blamed for what people built on top of it.


>> Whatever you do, you only add complexity to XML-RPC w/o actually
>> making it fully secure.
>
> Yes, SSL/TLS when used properly is the best solution, and we should  
> make sure that scenario works when possible (especially  
> WordPress.com). But I'm sure the vast majority of WordPress users  
> don't have access to a cert that's signed by a trusted authority.  
> (Without valid, signed certificates, SSL/TLS is also not fully  
> secure, right?--seems like a man-in-the-middle attacker could  
> easily get the unencrypted password.) I also suspect that few if  
> any web hosts are preconfigured for SSL/TLS, even with self-signed  
> certs.
>
>> E.g. if you come up with a challenge/response system (to avoid replay
>> attacks) then you can still be the victim of host spoofing / DNS
>> poisoning. So you also need to verify that you are actually talking
>> with the right server.
>
> We're getting out of my depth here, but for most scenarios, is that  
> really going to be a big problem? My main concern here is to  
> prevent a malicious attacker from being able to hack the user's  
> blog. Stopping eavesdropping would be nice but to me is a distant  
> second in terms of importance. I guess you'd need to not only auth  
> with challenge/response but also sign the requests so a man-in-the- 
> middle can't just change the payload.
>
> Sigh... security is hard. But on the other hand, we are currently  
> sending the password in cleartext. At least it can't get any worse,  
> right?
> _______________________________________________
> wp-xmlrpc mailing list
> wp-xmlrpc at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-xmlrpc


--
Joseph Scott
joseph at randomnetworks.com
http://joseph.randomnetworks.com/

More information about the wp-xmlrpc mailing list