In section 4.3 version 1.0 of the OAuth spec, it is stated that the
protocol does not attempt to verify the authenticity of the server.
Scanning the draft of 2.0 and searching the archives, I didn't see
much mention of this.
Has there been any work to address this issue? I understand that
using SSL for all requests may mitigate this risk, but with SSL
certificates obtainable so easily and cheaply, it's hard to completely
trust it as well.