[OpenID] Reconsidering http://openid different from https://openid
Christopher St John
ckstjohn at gmail.com
Sat Sep 29 13:28:04 UTC 2007
On 9/29/07, Lukas Rosenstock <lukas.rosenstock at identity20.eu> wrote:
> Am 29.09.2007, 03:44 Uhr, schrieb John Panzer <jpanzeracm at johnpanzer.com>:
>
> > Then I'm confused. If you do a redirect over http, a MITM attacker can
> > modify the response and show the user what appears to be their OP and
> > collect their password, right?
>
> ...
>
> All an attacker in control of
> http://myid/ can do is redirect to https://myid.fakeserver/ which is
> obviously != https://myid/.
>
Or, just eat the redirect and present a page that looks exactly
like the user's normal login?
-cks
--
Christopher St. John
http://artofsystems.blogspot.com
More information about the general
mailing list