OpenID homesite authorization spoofed

[Recordon, David]

Alaric,
Mind sharing the attack...at least privately?

If this involved DNS spoofing, then it certainly is known that OpenID
can be exploited in such fashion, just as every other site out on the
Internet today not using DNSSEC can be.

I'm not sure exactly what you and Eddy are trying to prove.  I fully
understand that using OpenID with no SSL and no DNSSEC is technically
insecure, and no one has ever made the claim that OpenID has "military
grade" security as it stands today.  Did you prove something else that
I'm just missing?

Regards,
--David

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Alaric Dailey
Sent: Sunday, October 22, 2006 6:38 PM
To: general at openid.net
Subject: OpenID homesite authorization spoofed


With my consent, Eddy has successfully spoofed openID using a server on
his internal network and then successfully used that log onto my openid
account at myopenid.com.  This didn't take any special hacking skills,
just some DNS trickery and a little coding.  The problem would have been


Using encryption would have made this much more difficult.  I have
screen shots if anyone cares, I'd attach them except that I am sure they
would be stripped.

Using a mutual authentication between membersite and homesite would have
made it impossible, while still being transparent to the user, that
isn't to say there wouldn't be a footprint, but the user would have
nothing more to do.

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general