OpenID homesite authorization spoofed
Recordon, David
drecordon at verisign.com
Mon Oct 23 18:57:46 UTC 2006
Isn't this a larger problem on the entire Internet though...
--David
-----Original Message-----
From: Alaric Dailey [mailto:alaricdailey at hotmail.com]
Sent: Monday, October 23, 2006 7:33 AM
To: 'James A. Donald'; Recordon, David
Cc: general at openid.net
Subject: RE: OpenID homesite authorization spoofed
HTTPS CAN be exploited in this fashion.
This is one of the major problems with SSL for websites, it is UTTERLY
dependant on DNS. I actually have USED this to allow development on my
machine when the code of a website redirects you to a specific HTTPS
URL. I simply install the cert on my machine, and edit the hosts file,
voila! Off I go.
-----Original Message-----
From: James A. Donald [mailto:jamesd at echeque.com]
Sent: Monday, October 23, 2006 6:55 AM
To: Recordon, David
Cc: Alaric Dailey; general at openid.net
Subject: Re: OpenID homesite authorization spoofed
Recordon, David wrote:
> If this involved DNS spoofing, then it certainly is > known that
OpenID can be exploited in such fashion, > just as every other site out
on the Internet today not > using DNSSEC can be.
No.
Sites that use SRP or HTTPS cannot be exploited in this fashion.
If your bookmark says https://hushmail.com, and you click on your
bookmark, you will get to the right hushmail.com, or fail to get
anywhere.
More information about the general
mailing list