logoalt Hacker News

JackSlateuryesterday at 7:08 PM1 replyview on HN

AD allows connections between two computers that are registered against the active directory, including a random laptop and the AD themselves

This is a fundamental difference versus something like oauth: in the former, everything is done to allow RCE on the AD: the code exist; in the later, everything is done to prevent RCE on the issuer;

Identity is hard ? Identity is a lot simpler once you assume that:

  - people make mistakes
  - code is buggy
  - infrastructure has issue
This is why using things like oauth instead of AD's authentication mecanism is good: because it is secured by default and you must try really hard to allow a wide range of attack

Replies

Dylan16807yesterday at 7:42 PM

"allows connections" isn't code execution. An actual example would be really helpful here.

show 1 reply