[OpenID] Trust + Security @ OpenID

John Panzer jpanzeracm at johnpanzer.com
Fri Jul 20 14:59:27 UTC 2007


Dmitry Shechtman wrote:
> The attack vector:  I poison your local DNS resolver, or proxy all 
> traffic, so that http://foo.blogspot.com actually resolves to 
> http://evil.org's IP.  If you follow the 302 redirect, you could be 
> allowing evil.org to tell you what the "canonical" URL is.  For example 
> it could do a 302 redirect over to https://evil.org which presents a 
> valid certificate and which can masquerade as the user's OP, capturing 
> their password.  (For users who check URLs, it could be 
> https://my.open1d.org instead of https://evil.org.)
> 
>  
> 
> Pardon my ignorance regarding TLS, but I don’t see what protection it 
> would provide against such an attack. Is TLS similar to SSL with the 
> exception of http prefix usage?
> 

Sorry!  Yes.  TLS in this context means negotiating to do SSL over port 
80 via HTTP 1.1 mechanisms.  Once the client and server upgrade, it's 
effectively the same security as https.  Specifically the client is sent 
a server certificate which proves that they are (say) foo.blogspot.com.

(If someone knows differently, please correct the above.)

-John



More information about the general mailing list