Unicode.org mail system maintenance
James Kass
jameskass at code2001.com
Thu May 20 17:49:10 CDT 2021
On 2021-05-20 2:34 PM, Steffen Nurpmeso via Unicode wrote:
> The explanation that seems to have been given by
> administrators in response to a long-term Unicode worker was
> ridiculous.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
<quote>
4.1.3. Countermeasures
The complexity of implementing and managing pattern matching
correctly obviously causes security issues. This document therefore
advises to simplify the required logic and configuration by using
exact redirect URI matching. This means the authorization server
MUST compare the two URIs using simple string comparison as defined
in [RFC3986], Section 6.2.1.
<end quote>
I'm no expert on OAuth, but it appears that current recommendations
require an exact match for domain names. Wildcard or partial domain
name strings leave openings for attackers to exploit.
Aside from the injection of "conspiracy", the response given seems accurate.
More information about the Unicode
mailing list