[OpenID] Fwd: OpenID Spoofing
paulmadsen at rogers.com
Fri Jan 12 20:57:35 UTC 2007
Dmitry, if there were a MITM between the browser and the OpenID provider
proxying messages to/fro, it wouldn't care about the email or SMS
channel described in the post below.
The user would see a nicely 'sealed' email just as if they were
interacting directly with the IDP, they'd paste the 'code' and hand it
off to the MITM, to be then proxied on. So, the MITM is now
authenticated as the user and has plenty of opportunity to ensure that
the OTP effect isn't an issue.
Fundamentally, MITM's don't need to be ITM of all channels in order to
steal useful identity/credentials and are probably perfectly happy to
Or are you thinking that 'plain phishing' is the simpler social attack?
Dmitry Shechtman wrote:
> Now that we've established that by "OpenID spoofing" nobody meant anything
> more than plain phishing, I think I found a solution:
> Any comments are welcome (first-timer moderation).
> general mailing list
> general at openid.net
Paul Madsen e:paulmadsen @ ntt-at.com
More information about the general