[dix] Re: Gathering requirements for in-browser OpenID support
Mike Glover
mpg4 at janrain.com
Thu Oct 19 19:03:19 UTC 2006
On Thu, 19 Oct 2006 18:52:01 +1000
Chris Drake <christopher at pobox.com> wrote:
> SO - technology that takes AWAY from the RP the opportunity to
> initiate the OpenID login is a good way to safely prevent MITM
> attacks - the only thing that remains is to nut out exactly how we
> want to achieve this.
I'm not a security guy, so I'm hoping someone can help me understand. How does this case differ from a generic phishing attack? I understand that the mechanism and the stakes are different, but it seems that the problem is the same: The end user goes to a page that they think they have an account with (in this case, the IdP), but it's really an attacker's site.
Am I misunderstanding the attack here?
-mike
More information about the general
mailing list