[dix] Re: Gathering requirements for in-browser OpenID support
Pete Rowley
prowley at redhat.com
Thu Oct 19 19:04:42 UTC 2006
Dan Lyke wrote:
> On Thu, 19 Oct 2006 09:44:18 -0700, Barry Ferg wrote:
>
>> + agent to a host that proxies the user's IdP. The user's
>> + authentication credentials may then be compromised. SSL
>>
>
> The connection could also just be sniffed. The risks of passing
> reusable credentials over an insecure link aren't new, and we knew
> this about telnet connections back in the early '90s.
>
> Making specific mention of this in the spec may be okay, but unless
> there's something specific to the protocol (ie: if a malicious site
> could compromise future logins by spoofing to both the user and to the
> relying party), I think the obvious things can be reduced to "traffic
> over the net may be watched by hostile parties".
>
That isn't the focus of the attack. The security of the transport layer
is irrelevant to the MITM attack based on a rogue RP.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061019/e30d7bef/attachment-0002.bin>
More information about the general
mailing list