[OpenID] Reconsidering http://openid different from https://openid
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Mon Sep 24 17:45:36 UTC 2007
Pat Patterson wrote:
> I don't understand this from section 11.5.2:
> Surely, if an attacker gained control of the HTTP URL, he would be
> free to redirect to an endpoint of his choosing, a clear reduction in
> security. Am I missing something?
HTTP URL = Web site?
HTTP = DNS?
Surely, if an attacker gained control of the HTTP*S* URL this would be a
clear reduction in security.
Guess you don't miss anything.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070924/b74880c7/attachment-0001.htm>
More information about the general
mailing list