[OpenID] Fwd: OpenID Spoofing
Paul Madsen
paulmadsen at rogers.com
Fri Jan 12 21:39:29 UTC 2007
The phisher doesn't need the seal, it lets the valid IDP send the code
to the user with the seal. The MITM would only need the seal if it were
to try to send the email itself,
Dmitry Shechtman wrote:
> Paul Madsen wrote:
>
>> The user would see a nicely 'sealed' email
>>
>
> In order to get that seal, the phisher would have to either proxy either the
> whole registration process or the email exchange.
>
>
> Regards,
> Dmitry
> =damnian
>
>
>
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
More information about the general
mailing list