[OpenID] What does Sxipper do?
Dick Hardt
dick at sxip.com
Tue Jan 23 18:10:55 UTC 2007
On 23-Jan-07, at 7:50 AM, Ben Laurie wrote:
> On 1/23/07, Dick Hardt <dick at sxip.com> wrote:
>>
>> On 23-Jan-07, at 2:19 AM, Ben Laurie wrote:
>>
>> > So, it's been mentioned several times that Sxipper defends
>> against the
>> > MitM attack on IdPs. But how? I can't find any information on it.
>>
>> Sxipper intercepts the browser calls to the Sxipper OP. If the RP
>> sends the user to a different OP (MITM), then nothing happens.
>> Sxipper has intimate knowledge of its own OP, so pretty hard to do
>> any MITM attack
>
> Nothing happens? Or Sxipper thinks its a new OP?
The user sees whatever site the RP redirected them to. It won't be
the Sxipper OP, so the RP can't compromise what is going on.
> In any case,
> documentation would be nice.
Lots of things would be nice! ;-)
... the code is usable, but not code complete ... we need to do
more work to flesh it out.
We are working on the OpenID FAQ. These are good questions. Thanks
for asking them Ben!
-- Dick
More information about the general
mailing list