[OpenID] XAuth critiques
SitG Admin
sysadmin at shadowsinthegarden.com
Tue Jun 8 19:45:34 UTC 2010
Just passing through, between one relay and another:
>Thought experiment: Would you be satisfied if xauth were baked into
>Chromium (hosted at <http://www.chromium.org>www.chromium.org)? If
>so, would it be sufficient to CNAME <http://xauth.org>xauth.org to
><http://www.chromium.org>www.chromium.org and serve up JS from
>there, signed with the Chromium.org private key?
Assume that ALL requests are protected with SSL, so that the contents
of communications cannot be spied upon. An eavesdropper can STILL
figure out when a user is logging in with OpenID (and, with attention
to timing, WHICH sites they are logged in to!) by looking for
requests to the IP address of the central server.
What do we expect them to do in defense of this attack, route all
their communications through random public proxies?
-Shade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100608/fb91d0de/attachment.html>
More information about the general
mailing list