Google Groups

Protection against "Spoofing by Counterfeit Servers"

Joel S Apr 14, 2011 1:44 PM
Posted in group: OAuth
Hi everyone,

In section 4.3 version 1.0 of the OAuth spec, it is stated that the
protocol does not attempt to verify the authenticity of the server.
Scanning the draft of 2.0 and searching the archives, I didn't see
much mention of this.

Has there been any work to address this issue?  I understand that
using SSL for all requests may mitigate this risk, but with SSL
certificates obtainable so easily and cheaply, it's hard to completely
trust it as well.