[OpenID] Trust + Security @ OpenID

Dmitry Shechtman damnian at gmail.com
Fri Jul 20 11:54:57 UTC 2007


The attack vector:  I poison your local DNS resolver, or proxy all traffic,
so that http://foo.blogspot.com actually resolves to http://evil.org's IP.
If you follow the 302 redirect, you could be allowing evil.org to tell you
what the "canonical" URL is.  For example it could do a 302 redirect over to
https://evil.org which presents a valid certificate and which can masquerade
as the user's OP, capturing their password.  (For users who check URLs, it
could be https://my.open1d.org instead of https://evil.org.)

 

Pardon my ignorance regarding TLS, but I don't see what protection it would
provide against such an attack. Is TLS similar to SSL with the exception of
http prefix usage?

 

 

Regards,

Dmitry

=damnian

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070720/6298421b/attachment-0002.htm>


More information about the general mailing list