security
Dick Hardt
dick at sxip.com
Mon Oct 23 17:36:05 UTC 2006
On 23-Oct-06, at 10:28 AM, Eddy Nigg (StartCom Ltd.) wrote:
> See below:
>
> Dick Hardt wrote:
>> On 23-Oct-06, at 4:47 AM, James A. Donald wrote:
>>> Dick Hardt wrote:
>>>> Perhaps we can discuss this from another point of view. Why
>>>> should I need SSL on a blog I am writing a comment on when all
>>>> the data I provide the blog will be published and public anyway?
>>>> An attacker is not going to see anything more on the HTTP
>>>> connection then they would on the blog?
>>> If he sees your users login information, there is a problem.
>> Not if he is seeing the results. Obviously if the attacker sees
>> the users username and password there is a problem.
> And even more obvious, a homesite would give you options to change
> the password and/or personal details...Other sites might have other
> details to show in the "personal user area". And yes, there is a
> huge problem!
>
> BTW, with today's spam on forums, which includes URL postings and
> sending mail messages to members, this even is already a problem at
> this low-profile sites...
>
> Therefore: Bad design will always hurt and insecurity by design
> even more...It doesn't matter, if the login is a blog or payment
> site, both have the right and interest on reasonable protection,
> otherwise it simply will not stick....
Eddy, I am not sure you understand how OpenID works. Provided there
is an SSL connection to the Homesite/IdP, none of that data is
compromised. No personal data is moved in the connection between the
user and the RP.
-- Dick
More information about the general
mailing list