[OpenID] Fwd: OpenID Spoofing

Paul Madsen paulmadsen at rogers.com
Fri Jan 12 20:57:35 UTC 2007


Dmitry, if there were a MITM between the browser and the OpenID provider 
proxying messages to/fro, it wouldn't care about the email or SMS 
channel described in the post below.

The user would see a nicely 'sealed' email just as if they were 
interacting directly with the IDP, they'd paste the 'code' and hand it 
off to the MITM, to be then proxied on. So, the MITM is now 
authenticated as the user and has plenty of opportunity to ensure that 
the OTP effect isn't an issue.

Fundamentally, MITM's don't need to be ITM of all channels in order to 
steal useful identity/credentials and are probably perfectly happy to 
not be.

Or are you thinking that 'plain phishing' is the simpler social attack?

paul

Dmitry Shechtman wrote:
> Now that we've established that by "OpenID spoofing" nobody meant anything
> more than plain phishing, I think I found a solution:
>
> http://blog.phpbb.cc/2007/01/12/external-authentication-and-otp/
>
> Any comments are welcome (first-timer moderation).
>
>
> Regards,
> Dmitry
> =damnian
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-302-1428
                        aim:PaulMdsn5
                        web:connectid.blogspot.com 





More information about the general mailing list