[wp-xmlrpc] Any interest in OAuth?

Joe Cheng Joe.Cheng at microsoft.com
Wed Jun 18 17:54:34 GMT 2008

> I don't follow this. So XML-RPC did not use HTTP Auth for user
> authentication, instead did their own scheme. And this is an argument
> for them to now also not use the standard HTTP encryption protocol?

I'm not arguing to NOT use the standard HTTP encryption protocol--obviously when available, that's the best option. If it's not available, what do we do?

> The reason you want a signed certificate is that the _first_ time you
> connect e.g. to example.org then you are presented with a host key and
> you have no guarantee that you are actually connected to the machines
> actually running example.org or instead misdirected to a malicious
> site (posing as example.org).

OK, thanks, that makes sense to me.

So to make SSL work, the clients will have to prompt on untrusted certs and then persist that cert for next time (unless the OS does it for you). On the server side, how will WordPress know whether to point users to https or http?

> Maybe not pre-configured when you pick the cheapest shared hosting
> solution, but all the big ones do offer it, and if you run your own
> server (e.g. via virtualization which today is pretty cheap) you can
> even get signed certificates for free where the signing authority's
> certificate is in Leopard's list of trusted CA (if you self-sign, you
> can always add your own root certf. to this list).

I know it's usually *possible*, especially when money is applied, but I want a solution that will be not completely insecure by default (again, in addition to supporting SSL where available).

> And this is what https offers...

Thanks, I understand what https offers. The question is, what do we do when it's not configured?

I don't believe the only two rational choices are https or cleartext passwords, with nothing in between. Isn't it much worse to have your password compromised, than to be proxied through a malicious server using an auth scheme that isn't susceptible to replay attacks? In the latter case, at least the damage is limited to whatever the attacker can do while you're still making requests, and to what they can do using the XML-RPC API.

wp-xmlrpc mailing list
wp-xmlrpc at lists.automattic.com

More information about the wp-xmlrpc mailing list