Security issues of passing tokens around

Question

Opened this issue 10 years ago · 0 comments

AMT does not use OAuth, so we will be passing tokens around.

There are two places where I could see us having security problems:

Holding tokens in memory (local problems -- malicious scripts, chrome apps, etc)
Sending tokens across HTTP (MIM)

Thoughts:

How much of a threat is having stuff in one of those memories?
Do we need to encode the token as it's entered and decode it on the server side?
Should we send the token to the server over HTTPS? Will encoding the tokens obviate the need for HTTPS? I could do something like have the JS call a GET and acquire some salt. Then hash with salt in JS and send that back over to the server. Server decodes.