[OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11
benl at google.com
Mon Jan 22 16:53:11 UTC 2007
On 1/22/07, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Mon, Jan 22, 2007 at 03:36:44PM +0000,
> Ben Laurie <benl at google.com> wrote
> a message of 28 lines which said:
> > > The only way that I can see that you are going to circumvent an
> > > attempt using existing browser capabilities is to introduce a
> > > malicious login page is through use of some form of shared secret
> > > such as a picture of a cuddly animal chosen by the user or Secure
> > > Letterhead.
> > How is this kind of shared secret a defence against a MitM?
> If you see the cuddly animal as the background image of the login
> screen, you know you see the authentic login form. If you see an ugly
> beast, it means there is a Man in the Middle.
> The MitM cannot fake the login screen because he does not know the
> animal you choosed (the shared secret).
Why not? The man in the middle sees what you would see, surely?
More information about the general