[OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Jan 22 21:39:33 UTC 2007

On Mon, Jan 22, 2007 at 04:53:11PM +0000,
 Ben Laurie <benl at google.com> wrote 
 a message of 21 lines which said:

> Why not? The man in the middle sees what you would see, surely?

OK, sorry, I replied too fast. I was replying in the context of a
phishing attempt by a rogue RP redirecting to a pirate OP posing as
the legitimate OP. If sessions are not protected by TLS, indeed, a
real MitM (able to observe and to modify) can subvert the "shared
secret" method.

However, it makes the attack much more difficult, no?

More information about the general mailing list