[dix] Re: Gathering requirements for in-browser OpenID support
Pete Rowley
prowley at redhat.com
Thu Oct 19 19:19:29 UTC 2006
Mike Glover wrote:
> On Thu, 19 Oct 2006 18:52:01 +1000
> Chris Drake <christopher at pobox.com> wrote:
>
>
>> SO - technology that takes AWAY from the RP the opportunity to
>> initiate the OpenID login is a good way to safely prevent MITM
>> attacks - the only thing that remains is to nut out exactly how we
>> want to achieve this.
>>
>
>
> I'm not a security guy, so I'm hoping someone can help me understand. How does this case differ from a generic phishing attack? I understand that the mechanism and the stakes are different, but it seems that the problem is the same: The end user goes to a page that they think they have an account with (in this case, the IdP), but it's really an attacker's site.
>
> Am I misunderstanding the attack here?
>
It is similar, but it relies upon the fact that the RP is the one doing
the phishing, and that the user actually wants to login to the RP. Thus,
every RP is a potential phisher. The page the user goes to will even
look the same no matter which IdP they have since the RP knows which IdP
to scrape.
So all the clues tell the user they are at the right place except the
url bar - and that is probably the least looked at thing in a browser
for most people - especially when they don't know not to trust RPs,
which they won't.
Having the hooks that enable solutions to this outside the protocol is a
MUST in my view. So, go Chris :)
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061019/7770127a/attachment-0002.bin>
More information about the general
mailing list