[OpenID] Fwd: OpenID Spoofing

David Nicol davidnicol at gmail.com
Fri Jan 12 22:43:50 UTC 2007

On 1/12/07, Dmitry Shechtman <damnian at gmail.com> wrote:
> Dmitry Shechtman
> > You got me. Nice catch, Paul!
> > I guess I'll have to think harder.
> I know I'm not thinking hard yet, but wasn't SSL supposed to solve MITM?

and it doesn't because end-users don't understand how certs work and the
can get a "trusted" cert.  Therefore a "certificate dashboard" kind of thing
raises hell when a site that usually has one cert suddently has a different
would be a good browser plugin. Or making the ramifications of the

Currently sites with "bad" certs are more secure than good ones, because the
approve-this-bad-cert dialog will come up and you can verify that its the
same bad
cert as last time :)

pre-Α, Α, Β, rc, release.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070112/0df3b70b/attachment-0002.htm>

More information about the general mailing list