[dix] Re: Gathering requirements for in-browser OpenID support
Dick Hardt
dick at sxip.com
Thu Oct 19 16:48:25 UTC 2006
On 19-Oct-06, at 9:44 AM, Barry Ferg wrote:
> ===================================================================
> --- openid-authentication.xml (revision 68)
> +++ openid-authentication.xml (working copy)
> @@ -2218,6 +2218,15 @@
> all parts of the interaction, including interaction with
> the End User through the User Agent.
> </t>
> +
> + <t>
> + Another man in the middle attack exists in that a
> + malicious RP may take the identifier and redirect the user
> + agent to a host that proxies the user's IdP. The user's
> + authentication credentials may then be compromised. SSL
> + connections between the user agent and the IdP eliminate
> + this attack technique.
Actually, that is not true unless there is a client side cert, since
the IdP does not know it is not talking directly to the user, and
phishing studies have shown that the user will not notice they are on
the wrong URL or that the lock is present.
-- Dick
More information about the general
mailing list