OpenID homesite authorization spoofed
Alaric Dailey
alaricdailey at hotmail.com
Mon Oct 23 14:32:34 UTC 2006
HTTPS CAN be exploited in this fashion.
This is one of the major problems with SSL for websites, it is UTTERLY
dependant on DNS. I actually have USED this to allow development on my
machine when the code of a website redirects you to a specific HTTPS URL. I
simply install the cert on my machine, and edit the hosts file, voila! Off I
go.
-----Original Message-----
From: James A. Donald [mailto:jamesd at echeque.com]
Sent: Monday, October 23, 2006 6:55 AM
To: Recordon, David
Cc: Alaric Dailey; general at openid.net
Subject: Re: OpenID homesite authorization spoofed
Recordon, David wrote:
> If this involved DNS spoofing, then it certainly is > known that OpenID
can be exploited in such fashion, > just as every other site out on the
Internet today not > using DNSSEC can be.
No.
Sites that use SRP or HTTPS cannot be exploited in this fashion.
If your bookmark says https://hushmail.com, and you click on your bookmark,
you will get to the right hushmail.com, or fail to get anywhere.
More information about the general
mailing list