[OpenID] Fwd: OpenID Spoofing
paulmadsen at rogers.com
Fri Jan 12 22:55:27 UTC 2007
well if a bad SP redirects the browser to the phished IDP (or just keeps
the browser), from that browser's point of view, it will be interacting
with a perfectly valid site (i.e. one whose cert matches domain etc) so
it should be perfectly happy with its SSL handshake. The MITM isn't 'in
the middle' from the browser's expectations.
Dmitry Shechtman wrote:
> Dmitry Shechtman
>> You got me. Nice catch, Paul!
>> I guess I'll have to think harder.
> I know I'm not thinking hard yet, but wasn't SSL supposed to solve MITM?
Paul Madsen e:paulmadsen @ ntt-at.com
More information about the general