[OpenID] Fwd: OpenID Spoofing
Paul Madsen
paulmadsen at rogers.com
Fri Jan 12 20:57:35 UTC 2007
Dmitry, if there were a MITM between the browser and the OpenID provider
proxying messages to/fro, it wouldn't care about the email or SMS
channel described in the post below.
The user would see a nicely 'sealed' email just as if they were
interacting directly with the IDP, they'd paste the 'code' and hand it
off to the MITM, to be then proxied on. So, the MITM is now
authenticated as the user and has plenty of opportunity to ensure that
the OTP effect isn't an issue.
Fundamentally, MITM's don't need to be ITM of all channels in order to
steal useful identity/credentials and are probably perfectly happy to
not be.
Or are you thinking that 'plain phishing' is the simpler social attack?
paul
Dmitry Shechtman wrote:
> Now that we've established that by "OpenID spoofing" nobody meant anything
> more than plain phishing, I think I found a solution:
>
> http://blog.phpbb.cc/2007/01/12/external-authentication-and-otp/
>
> Any comments are welcome (first-timer moderation).
>
>
> Regards,
> Dmitry
> =damnian
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
More information about the general
mailing list