[OpenID] Fwd: OpenID Spoofing

Paul Madsen paulmadsen at rogers.com
Fri Jan 12 21:39:29 UTC 2007

The phisher doesn't need the seal, it lets the valid IDP send the code 
to the user with the seal. The MITM would only need the seal if it were 
to try to send the email itself,

Dmitry Shechtman wrote:
> Paul Madsen wrote:
>> The user would see a nicely 'sealed' email
> In order to get that seal, the phisher would have to either proxy either the
> whole registration process or the email exchange.
> Regards,
> Dmitry
> =damnian

Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432

More information about the general mailing list