[OpenID] Fwd: OpenID Spoofing

Paul Madsen paulmadsen at rogers.com
Fri Jan 12 21:39:29 UTC 2007


The phisher doesn't need the seal, it lets the valid IDP send the code 
to the user with the seal. The MITM would only need the seal if it were 
to try to send the email itself,

Dmitry Shechtman wrote:
> Paul Madsen wrote:
>   
>> The user would see a nicely 'sealed' email
>>     
>
> In order to get that seal, the phisher would have to either proxy either the
> whole registration process or the email exchange.
>
>
> Regards,
> Dmitry
> =damnian
>
>
>
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-302-1428
                        aim:PaulMdsn5
                        web:connectid.blogspot.com 





More information about the general mailing list