OpenID homesite authorization spoofed
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Mon Oct 23 12:09:30 UTC 2006
James A. Donald wrote:
> Sites that use SRP or HTTPS cannot be exploited in this
> fashion.
>
> If your bookmark says https://hushmail.com, and you
> click on your bookmark, you will get to the right
> hushmail.com, or fail to get anywhere.
>
Not entirely correct. The way OpenID works currently, it is possible to
spoof it, even if secured by SSL and DNSSEC. Therefore there is
something else missing as well...But with the correct controls in place
(at the IDP's and RP's), this will not happen anymore afterwards if
secured by SSL and DNSEC.
Correct is, that only the real site will have a valid certificate, which
however neither the IDP nor RP is validating as of now...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/498e5380/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/498e5380/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/498e5380/attachment-0002.bin>
More information about the general
mailing list