[OpenID] Trust + Security @ OpenID
Dmitry Shechtman
damnian at gmail.com
Fri Jul 20 11:54:57 UTC 2007
The attack vector: I poison your local DNS resolver, or proxy all traffic,
so that http://foo.blogspot.com actually resolves to http://evil.org's IP.
If you follow the 302 redirect, you could be allowing evil.org to tell you
what the "canonical" URL is. For example it could do a 302 redirect over to
https://evil.org which presents a valid certificate and which can masquerade
as the user's OP, capturing their password. (For users who check URLs, it
could be https://my.open1d.org instead of https://evil.org.)
Pardon my ignorance regarding TLS, but I don't see what protection it would
provide against such an attack. Is TLS similar to SSL with the exception of
http prefix usage?
Regards,
Dmitry
=damnian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070720/6298421b/attachment-0002.htm>
More information about the general
mailing list