[OpenID] Fwd: OpenID Spoofing

David Nicol davidnicol at gmail.com
Fri Jan 12 22:43:50 UTC 2007


On 1/12/07, Dmitry Shechtman <damnian at gmail.com> wrote:
>
> Dmitry Shechtman
> > You got me. Nice catch, Paul!
>
> > I guess I'll have to think harder.
>
> I know I'm not thinking hard yet, but wasn't SSL supposed to solve MITM?


and it doesn't because end-users don't understand how certs work and the
MITM
can get a "trusted" cert.  Therefore a "certificate dashboard" kind of thing
that
raises hell when a site that usually has one cert suddently has a different
one
would be a good browser plugin. Or making the ramifications of the
demonstration
clearer.

Currently sites with "bad" certs are more secure than good ones, because the
approve-this-bad-cert dialog will come up and you can verify that its the
same bad
cert as last time :)


-- 
pre-Α, Α, Β, rc, release.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070112/0df3b70b/attachment-0002.htm>


More information about the general mailing list