[OpenID] Yahoo hijacking?
Allen Tom
atom at yahoo-inc.com
Sat Apr 19 01:22:42 UTC 2008
Max Metral wrote:
>
> Now I know that I'm overstating the real problem right now, but it's a
> trajectory thing. In the Yahoo case, the words say "I do not want to
> login" with a back arrow. That should not take me to www.yahoo.com.
>
And where should we send the user? The openid.return_to value is not
necessarily the referrer, and the user has already told us that they
don't want to sign in.
If OpenID was able to allow us to verify the referrer (meaning that the
Authentication Requests were signed using a shared secret between the OP
and the RP), then it would be safer to return the user back to the referrer.
Allen
More information about the general
mailing list