undefined | Better HN

0 pointstptacek6y ago0 comments

The big tech companies all tend to have excellent security teams, each of which have particular strengths. Google's obviously includes low-level vulnerability research and browser security. Apple's includes hardware security and cryptography. I would be surprised if they "missed out on a half dozen important security features".

0 comments

3 comments · 1 top-level

will42746y ago· 2 in thread

The article describes the missing security features. Did you read it?

The lack of nonce makes replay protection impossible. The lack of c_hash opens up vulnerabilities in connect flows where the service incorrectly assumes the two tokens refer refer to the same user. Returning the id token on the query leaks it in the Referer header.

tptacekOP6y ago

I don't know enough about Sign In With Apple to map its security features to those of OpenID; I'm guessing you don't either.

jogux6y ago

Neither of you need to; the article contains a link to https://bitbucket.org/openid/connect/src/default/How-Sign-in... where a bunch of experts have analysed the current (beta) signin with Apple against the spec. In particular it's "signing with apple on the web" that they've analysed, which is open for anyone to analyze using the developer tools in a browser etc.

Apple are actually following the OpenID standard, that's why the list is differences is concise and to the point. Several of the pieces that are missing/different are items that were added to OpenID to prevent attacks that have been used against pure OAuth 2.

Many of the potential attacks relate to fooling the third party sites as to what happened, so it is difficult/impossible to mitigate them with magic on Apple's side.

(disclaimer: I'd listed as a contributor on above doc. I'm writing here in a purely personal capacity.)

1 more reply

j / k navigate · click thread line to collapse