[OpenID] Questions about Spoofing OpenId
chowells at janrain.com
Tue Jan 23 18:59:28 UTC 2007
David Fuelling wrote:
> 4.) User sees everything about their legit OP in real-time, including any
> "uploaded verification photos" or "prearranged color schemes", etc.
That's not necessarily true. If the site is using a scheme which uses a
cookie (independent from being logged in) for keying the verification
photo or pre-arranged color scheme, that cookie won't be sent to
evil-op.com, and so it won't be able to proxy that. Some care has to be
taken to make sure that direct cross-linking won't work, but that's not
This is a case where you're actually making use of browsers' existing
functionality for checking domains.
More information about the general