[OpenID] Questions about Spoofing OpenId
Claus Färber
GMANE at faerber.muc.de
Sun Feb 4 14:02:51 UTC 2007
David Fuelling schrieb:
> Q3.) The above attack will show the wrong url in the browser address bar,
> and the SSL cert will be with the wrong host. Setting aside the "the
> average user is too dumb or too lazy to notice" arguments, if *I* verify
> that the URL and SSL cert are for the correct host, then with what certainty
> can I assume I am not being spoofed (assuming nobody is DNS attacking me)?
No. Your OP might have cross-site scripting vulnerabilities, allowing an
attacker to inject malicious HTML code in your OP's login page. For
example, you browser could be tricked into sending your password to the
attacker instead of the OP.
Claus
More information about the general
mailing list