undefined | Better HN

0 pointsjogux6y ago0 comments

Neither of you need to; the article contains a link to https://bitbucket.org/openid/connect/src/default/How-Sign-in... where a bunch of experts have analysed the current (beta) signin with Apple against the spec. In particular it's "signing with apple on the web" that they've analysed, which is open for anyone to analyze using the developer tools in a browser etc.

Apple are actually following the OpenID standard, that's why the list is differences is concise and to the point. Several of the pieces that are missing/different are items that were added to OpenID to prevent attacks that have been used against pure OAuth 2.

Many of the potential attacks relate to fooling the third party sites as to what happened, so it is difficult/impossible to mitigate them with magic on Apple's side.

(disclaimer: I'd listed as a contributor on above doc. I'm writing here in a purely personal capacity.)

0 comments

1 comments · 1 top-level

ksec6y ago

>The big tech companies all tend to have excellent security teams, each of which have particular strengths. Google's obviously includes low-level vulnerability research and browser security. Apple's includes hardware security and cryptography. I would be surprised if they "missed out on a half dozen important security features".

>In particular it's "signing with apple on the web" that they've analysed, which is open for anyone to analyze using the developer tools in a browser etc.

Why is it I am getting the idea Apple just aren't very good with the web. I am reading it as Sign In with Apple ID is secure on the devices, iOS and App, but not when used on the web.

j / k navigate · click thread line to collapse