[OpenID] Fwd: OpenID Spoofing

Paul Madsen paulmadsen at rogers.com
Fri Jan 12 20:57:35 UTC 2007

Dmitry, if there were a MITM between the browser and the OpenID provider 
proxying messages to/fro, it wouldn't care about the email or SMS 
channel described in the post below.

The user would see a nicely 'sealed' email just as if they were 
interacting directly with the IDP, they'd paste the 'code' and hand it 
off to the MITM, to be then proxied on. So, the MITM is now 
authenticated as the user and has plenty of opportunity to ensure that 
the OTP effect isn't an issue.

Fundamentally, MITM's don't need to be ITM of all channels in order to 
steal useful identity/credentials and are probably perfectly happy to 
not be.

Or are you thinking that 'plain phishing' is the simpler social attack?


Dmitry Shechtman wrote:
> Now that we've established that by "OpenID spoofing" nobody meant anything
> more than plain phishing, I think I found a solution:
> http://blog.phpbb.cc/2007/01/12/external-authentication-and-otp/
> Any comments are welcome (first-timer moderation).
> Regards,
> Dmitry
> =damnian
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432

More information about the general mailing list