[OpenID] Fwd: OpenID Spoofing
davidnicol at gmail.com
Fri Jan 12 22:43:50 UTC 2007
On 1/12/07, Dmitry Shechtman <damnian at gmail.com> wrote:
> Dmitry Shechtman
> > You got me. Nice catch, Paul!
> > I guess I'll have to think harder.
> I know I'm not thinking hard yet, but wasn't SSL supposed to solve MITM?
and it doesn't because end-users don't understand how certs work and the
can get a "trusted" cert. Therefore a "certificate dashboard" kind of thing
raises hell when a site that usually has one cert suddently has a different
would be a good browser plugin. Or making the ramifications of the
Currently sites with "bad" certs are more secure than good ones, because the
approve-this-bad-cert dialog will come up and you can verify that its the
cert as last time :)
pre-Α, Α, Β, rc, release.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general