[OpenID] Questions about Spoofing OpenId

Claus Färber GMANE at faerber.muc.de
Sun Feb 4 14:02:51 UTC 2007


David Fuelling schrieb:
> Q3.) The above attack will show the wrong url in the browser address bar,
> and the SSL cert will be with the wrong host.  Setting aside the "the
> average user is too dumb or too lazy to notice" arguments, if *I* verify
> that the URL and SSL cert are for the correct host, then with what certainty
> can I assume I am not being spoofed (assuming nobody is DNS attacking me)?  

No. Your OP might have cross-site scripting vulnerabilities, allowing an 
  attacker to inject malicious HTML code in your OP's login page. For 
example, you browser could be tricked into sending your password to the 
attacker instead of the OP.

Claus




More information about the general mailing list