OpenID homesite authorization spoofed
Dick Hardt
dick at sxip.com
Mon Oct 23 01:44:08 UTC 2006
Alaric, looks like your message was truncated. Would you elaborate on
the attack?
btw: the MITM attack by the RP on the IdP is a known issue.
-- Dick
On 22-Oct-06, at 6:38 PM, Alaric Dailey wrote:
>
> With my consent, Eddy has successfully spoofed openID using a
> server on his
> internal network and then successfully used that log onto my openid
> account
> at myopenid.com. This didn't take any special hacking skills, just
> some DNS
> trickery and a little coding. The problem would have been
>
> Using encryption would have made this much more difficult. I have
> screen
> shots if anyone cares, I'd attach them except that I am sure they
> would be
> stripped.
>
> Using a mutual authentication between membersite and homesite would
> have
> made it impossible, while still being transparent to the user, that
> isn't to
> say there wouldn't be a footprint, but the user would have nothing
> more to
> do.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
More information about the general
mailing list