[OpenID] What does Sxipper do?

Dick Hardt dick at sxip.com
Tue Jan 23 15:10:59 UTC 2007

On 23-Jan-07, at 2:19 AM, Ben Laurie wrote:

> So, it's been mentioned several times that Sxipper defends against the
> MitM attack on IdPs. But how? I can't find any information on it.

Sxipper intercepts the browser calls to the Sxipper OP. If the RP  
sends the user to a different OP (MITM), then nothing happens.  
Sxipper has intimate knowledge of its own OP, so pretty hard to do  
any MITM attack

> Also, I know several people that would be interested in trying Sxipper
> but have declined to download it due to the lack of a visible licence.

License is displayed during install. Had not thought about is being  
available prior, good point.

> Finally, isn't this a little naughty? Front page:
> "Trustworthy - encrypts your personal data and stores it on your  
> computer"
> Release notes:
> "Encrypting profile store
> Your profile data is saved on your hard drive, it is currently not  
> encrypted."

It is still an early beta! ... but we should note the discrepancy on  
the home page.

-- Dick

More information about the general mailing list