OpenID homesite authorization spoofed
Josh Hoyt
josh at janrain.com
Mon Oct 23 21:27:56 UTC 2006
On 10/23/06, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:
> Yes, it is most likely, that in fact this wasn't the case. Perhaps with a
> little but more investment - and the fact, that myopenid.com operates in
> http mode (i.e. unsecured) - we could have put the missing piece together in
> order to allow it.
Also note that the presentation of user credentials to MyOpenID.com
*does* happen over SSL and that once a user has signed in to their
MyOpenID.com account, all communication with that user (e.g.
presentation of authentication requests) happens over SSL.
Josh
More information about the general
mailing list