OpenID homesite authorization spoofed
Alaric Dailey
alaricdailey at hotmail.com
Mon Oct 23 19:20:03 UTC 2006
Yes...
Yes it is. But the problem takes on special implications when you aren't
doing your own authentication. I can trust that going to 127.0.0.1 is going
to go to the right place. So when I am doing my own auth, I am sure that
the site doing the validation is doing what I think and that they are who I
think they are. The moment you offload the auth to another site and have to
connect back to them, you have a completely new bunch of problems to deal
with, including (but not limited to) DNS failures, incorrect DNS resolutions
(DNS poisoning or just an simple error), insecure end points, etc...
-----Original Message-----
From: Recordon, David [mailto:drecordon at verisign.com]
Sent: Monday, October 23, 2006 1:58 PM
To: Alaric Dailey; James A. Donald
Cc: general at openid.net
Subject: RE: OpenID homesite authorization spoofed
Isn't this a larger problem on the entire Internet though...
--David
-----Original Message-----
From: Alaric Dailey [mailto:alaricdailey at hotmail.com]
Sent: Monday, October 23, 2006 7:33 AM
To: 'James A. Donald'; Recordon, David
Cc: general at openid.net
Subject: RE: OpenID homesite authorization spoofed
HTTPS CAN be exploited in this fashion.
This is one of the major problems with SSL for websites, it is UTTERLY
dependant on DNS. I actually have USED this to allow development on my
machine when the code of a website redirects you to a specific HTTPS
URL. I simply install the cert on my machine, and edit the hosts file,
voila! Off I go.
-----Original Message-----
From: James A. Donald [mailto:jamesd at echeque.com]
Sent: Monday, October 23, 2006 6:55 AM
To: Recordon, David
Cc: Alaric Dailey; general at openid.net
Subject: Re: OpenID homesite authorization spoofed
Recordon, David wrote:
> If this involved DNS spoofing, then it certainly is > known that
OpenID can be exploited in such fashion, > just as every other site out
on the Internet today not > using DNSSEC can be.
No.
Sites that use SRP or HTTPS cannot be exploited in this fashion.
If your bookmark says https://hushmail.com, and you click on your
bookmark, you will get to the right hushmail.com, or fail to get
anywhere.
More information about the general
mailing list