Announcing OpenID Authentication 2.0 - Implementor'sDraft 11
Stephane Bortzmeyer
bortzmeyer at nic.fr
Mon Jan 22 21:39:33 UTC 2007
On Mon, Jan 22, 2007 at 04:53:11PM +0000,
Ben Laurie <benl at google.com> wrote
a message of 21 lines which said:
> Why not? The man in the middle sees what you would see, surely?
OK, sorry, I replied too fast. I was replying in the context of a
phishing attempt by a rogue RP redirecting to a pirate OP posing as
the legitimate OP. If sessions are not protected by TLS, indeed, a
real MitM (able to observe and to modify) can subvert the "shared
secret" method.
However, it makes the attack much more difficult, no?
More information about the specs
mailing list