OpenID homesite authorization spoofed
James A. Donald
jamesd at echeque.com
Tue Oct 24 01:55:28 UTC 2006
Alaric Dailey wrote:
> HTTPS CAN be exploited in this fashion.
>
> This is one of the major problems with SSL for
> websites, it is UTTERLY dependant on DNS. I actually
> have USED this to allow development on my machine when
> the code of a website redirects you to a specific
> HTTPS URL. I simply install the cert on my machine,
> and edit the hosts file, voila! Off I go.
If you have the cert, then presumably you are entitled
to serve that HTTPS URL, whether DNS thinks so or not.
If an adversary could do that, then that would be a
problem. If you, a legitimate holder of the certificate
for that domain name, can do that, no problem.
If you have the cert for HTTPS, and DNS thinks you are
not entitled to serve that resource, so much the better
for HTTPS, and so much the worse for DNS.
More information about the general
mailing list