[OpenID] Questions about Spoofing OpenId

Carl Howells chowells at janrain.com
Tue Jan 23 18:59:28 UTC 2007


David Fuelling wrote:
> 4.) User sees everything about their legit OP in real-time, including any
> "uploaded verification photos" or "prearranged color schemes", etc.

That's not necessarily true.  If the site is using a scheme which uses a 
cookie (independent from being logged in) for keying the verification 
photo or pre-arranged color scheme, that cookie won't be sent to 
evil-op.com, and so it won't be able to proxy that.  Some care has to be 
taken to make sure that direct cross-linking won't work, but that's not 
too difficult.

This is a case where you're actually making use of browsers' existing 
functionality for checking domains.



More information about the general mailing list