[OpenID] Fwd: OpenID Spoofing

Paul Madsen paulmadsen at rogers.com
Fri Jan 12 22:55:27 UTC 2007


well if a bad SP redirects the browser to the phished IDP (or just keeps 
the browser), from that browser's point of view, it will be interacting 
with a perfectly valid site (i.e. one whose cert matches domain etc) so 
it should be perfectly happy with its SSL handshake.  The MITM isn't 'in 
the middle' from the browser's expectations.

paul

Dmitry Shechtman wrote:
> Dmitry Shechtman
>   
>> You got me. Nice catch, Paul!
>>     
>
>   
>> I guess I'll have to think harder.
>>     
>
> I know I'm not thinking hard yet, but wasn't SSL supposed to solve MITM?
>
>
> Regards,
> Dmitry
> =damnian
>
>
>
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-302-1428
                        aim:PaulMdsn5
                        web:connectid.blogspot.com 





More information about the general mailing list