[OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Jan 22 15:56:17 UTC 2007

On Mon, Jan 22, 2007 at 03:36:44PM +0000,
 Ben Laurie <benl at google.com> wrote 
 a message of 28 lines which said:

> > The only way that I can see that you are going to circumvent an
> > attempt using existing browser capabilities is to introduce a
> > malicious login page is through use of some form of shared secret
> > such as a picture of a cuddly animal chosen by the user or Secure
> > Letterhead.

> How is this kind of shared secret a defence against a MitM?

If you see the cuddly animal as the background image of the login
screen, you know you see the authentic login form. If you see an ugly
beast, it means there is a Man in the Middle.

The MitM cannot fake the login screen because he does not know the
animal you choosed (the shared secret).

More information about the general mailing list