OpenID homesite authorization spoofed
David Nicol
davidnicol at gmail.com
Mon Oct 23 04:41:41 UTC 2006
On 10/22/06, Dick Hardt <dick at sxip.com> wrote:
> Alaric:
>
> 1) details on the attack would be greatly appreciated
>
> 2) the "digital drivers license" is a little ways off. We are still
> taking baby steps. OpenID Authentication does not do anything more
> then prove you were the same entity that was at RP previously. The
> same functionality of a username and password.
>
> -- Dick
>From reading this thread I understand that by using dns spoofing it
is possible -- If I can write to your /etc/hosts file it is possible -- to
pretend to be you in terms of OpenID Authentication, the openID equivalent
of modifying a target's getty or sshd binary to collect credentials.
That certainly isn't anything to catastrophize about in my opinion.
--
The Country Of The Blind, by H.G. Wells
http://cronos.advenge.com/pc/Wells/p528.html
More information about the general
mailing list