security

[Eddy Nigg (StartCom Ltd.)]

Dick Hardt wrote:
> A transaction is only as secure as it's weakest link
>   
Correct! Lets think about where the weakest link is and raise it a few
steps....
> Perhaps we can discuss this from another point of view. Why should I  
> need SSL on a blog I am writing a comment on when all the data I  
> provide the blog will be published and public anyway? An attacker is  
> not going to see anything more on the HTTP connection then they would  
> on the blog?
>   
Not entirely correct. If the login details / sessions and whatever is
transmitted in plain, than I can reuse this details perhaps...But this
time it's not going to be used at this blog, but on something more
serious...That was my reasoning, that all transmissions related to the
openid login/access/ whatever has to be secured....Since we are talking
about ONE login details at x sites (can be in the thousands at some
point) and a validity of a session, than the exploit can be almost
disastrous...

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/24e6c415/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/24e6c415/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/24e6c415/attachment-0002.bin>