You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In some client environments, it may be difficult to resolve all identity types. For example, handle resolution may involve DNS TXT queries, which are not directly supported from browser apps. Client implementations might use alternative techniques (such as DNS-over-HTTP) or could make use of a supporting web service to resolve identities.
The use of DNS from native devices has security & privacy implications. An attacker could listen, or worse, temper with DNS based identity resolution to lure users into entering their credentials on the wrong PDS.
We should adapt the spec to state that native devices "MUST" make use of SSL based solutions (DoH, HTTPS atproto identity resolution, or their own SSL protected service) in order to perform the resolution from a backend service.
The text was updated successfully, but these errors were encountered:
Currently the OAuth spec states:
The use of DNS from native devices has security & privacy implications. An attacker could listen, or worse, temper with DNS based identity resolution to lure users into entering their credentials on the wrong PDS.
We should adapt the spec to state that native devices "MUST" make use of SSL based solutions (DoH, HTTPS atproto identity resolution, or their own SSL protected service) in order to perform the resolution from a backend service.
The text was updated successfully, but these errors were encountered: