[OpenID] Questions about Spoofing OpenId

David Fuelling sappenin at gmail.com
Tue Jan 23 18:47:18 UTC 2007

Just for clarification...

Is it possible to "spoof" openid OP's?  People seem to be providing a lot of
"phishing" vectors, but there were a couple of emails that mentioned a
spoofing attack that went like this:

1.) User navigates to evil RP.
2.) User enters their OpenId into evil RP.
3.) RP redirects to evil OP (evil_op.com), which "proxies" the legit_OP.
4.) User sees everything about their legit OP in real-time, including any
"uploaded verification photos" or "prearranged color schemes", etc.
However, the URL in the browser window shows "evilOP.com", and there might
even be a gold padlock indicating a valid SSL session with evilOP.com. 

Q1.) Is the attack vector here simply that the user may not notice that the
URL is actually "evilOP.com", and that the SSL cert is for the wrong host?

Q2.) Is it easy to proxy a website (legitOP.com) in such a fashion?

Q3.) The above attack will show the wrong url in the browser address bar,
and the SSL cert will be with the wrong host.  Setting aside the "the
average user is too dumb or too lazy to notice" arguments, if *I* verify
that the URL and SSL cert are for the correct host, then with what certainty
can I assume I am not being spoofed (assuming nobody is DNS attacking me)?  

Q4.) Is it correct to say that an OP cannot be (easily) spoofed if the
URL/SSL Cert are "correct"?



More information about the general mailing list