[OpenID] authentication spoofing security challenge
Recordon, David
drecordon at verisign.com
Fri Dec 22 20:35:12 UTC 2006
But you wouldn't have a session on Vox. All authentication requests go
through the User-Agent.
--David
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Rowan Kerr
Sent: Friday, December 22, 2006 3:32 PM
To: openid general discussion
Subject: Re: [OpenID] authentication spoofing security challenge
On 12/22/06, David Nicol <davidnicol at gmail.com> wrote:
> The discusssion in
> http://digg.com/programming/OpenID_is_growing_in_momentum
> includes the following challenge:
>
> > ok.. not to be a complete egomaniac here, really, but my openid is
> > gavinengel.com (points to > Vox id provider, and no I did not have
to use any extra code like people keep referring to) I'm very interested
if anyone can post with my id on any livejournal page. I seriously doubt
you > could, I have as much faith in this authentication as I do in the
best of them.
If he had set LiveJournal to "always trust" (or similar), and you leave
a comment on LiveJournal, and he was currently logged in on Vox, and
LiveJournal made a Direct request for authentication (avoiding knowing a
difference in IPs between his session and the attacker) ...
would it not possibly post the comment as him?
-Rowan
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list