[OpenID] Security related Use Cases?
Peter Williams
pwilliams at rapattoni.com
Wed Oct 22 15:55:59 UTC 2008
If it helps, we decided to give those spokes (only those initiated FROM the OP) the choice of how we frame their site in a browser child, post SSO. They can chose to have it with without location bar, among other frame setup variables provided by IE/msft.
The nature of websso is of course such that the spoke/consumer site can use that new frame (which could now be address bar-less) to ping the IDP/OP again - using SAML/openidauth - whose UI would appear now in that frame.
We failed to make sense of IE7+ tabs (using only javascript), which seemed like a promising compromise - but which didn't work out. Perhaps others made tabs work, viably(without exploiting custom activeX downloads, controlling tabbing)?
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Andrew Arnott
Sent: Wednesday, October 22, 2008 8:47 AM
To: Praveen Alavilli
Cc: OpenID List
Subject: Re: [OpenID] Security related Use Cases?
A real hacker wouldn't. But the fact that legitimate sites can do it means that some will likely do it. If legitimate sites embed the Yahoo sign-in page in an iframe, thus hiding the yahoo.com<http://yahoo.com> from the location bar, users will become desensitized from not seeing yahoo.com<http://yahoo.com> when they enter their credentials. This will make the phishers job that much easier.
On Wed, Oct 22, 2008 at 8:33 AM, Praveen Alavilli <AlavilliPraveen at aol.com<mailto:AlavilliPraveen at aol.com>> wrote:
But why would a hacker open the real yahoo sign in page in an iframe
(security enabled or not) - there is nothing to gain from it (whether it
shows the signin seal or not). Instead they are better of showing their
own phishing page to steal the credentials.
- Praveen
Breno de Medeiros wrote:
> On Tue, Oct 21, 2008 at 6:03 PM, Allen Tom <atom at yahoo-inc.com<mailto:atom at yahoo-inc.com>> wrote:
>
>> Hi Breno,
>>
>> Do you have a demo of this?
>>
>
> I could put one together, the directions are here:
>
> http://msdn.microsoft.com/en-us/library/ms534622(VS.85).aspx<http://msdn.microsoft.com/en-us/library/ms534622%28VS.85%29.aspx>
>
>
>> Thanks
>> Allen
>>
>>
>> Breno de Medeiros wrote:
>>
>>> IE allows you to create an iframe and disable JS inside the iframe.
>>> 70-85% of users will be vulnerable to this attack.
>>>
>>>
>>>
>>
>
>
>
>
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081022/f2b0bd8a/attachment-0002.htm>
More information about the general
mailing list