[security] MITM attacks on OpenID direct verification and association
thayes0993 at aol.com
thayes0993 at aol.com
Wed Feb 14 10:09:53 PST 2007
Who said anything about setting up a fake OP? I'm talking about putting a proxy in front of either the RP or the OP (exactly the situation that applies when modifying the direct verfication).
The proxy has to work only slightly harder, by modifying "associate" request/responses (directly between RP and OP) and assertions delivered from the OP to the RP by way of the browser.
Please read the security section of the spec again. The protocol relies on DNS and the security of the transport. That's it. That's what makes it easy to deploy.
Terry
-----Original Message-----
From: hgranqvist at verisign.com
To: thayes0993 at AOL.COM
Cc: security at openid.net
Sent: Wed, 14 Feb 2007 9:54 AM
Subject: Re: [security] MITM attacks on OpenID direct verification and association
thayes0993 at AOL.COM wrote:
> In short, associations are useful for reducing the cost of verifying
> assertions by allowing the verification to be performed by the RP.
> However they do not add to the resistance to MITM attacks.
So you found it as easy to set up a fake OP as it is to proxy-change
a DV 'no' to 'yes' down-stream?
I bet you didn't. And that complexity difference is the added
resistance.
-Hans
_______________________________________________
security mailing list
security at openid.net
http://openid.net/mailman/listinfo/security
________________________________________________________________________
Check out the new AOL. Most comprehensive set of free safety and security tools, free access to millions of high-quality videos from across the web, free AOL Mail and more.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/security/attachments/20070214/233514c5/attachment.htm
More information about the security
mailing list