[security] HTTP and HTTPS URL issue (was RE: security)
Pete Rowley
prowley at redhat.com
Fri Oct 27 18:49:13 UTC 2006
Martin Atkins wrote:
> Dan Lyke wrote:
>
>> On Fri, 27 Oct 2006 10:57:25 -0700, Martin Atkins wrote:
>>
>>> No, it does not. Compromising the HTTP URL does *not* compromise the
>>> HTTPS URL in any sense.
>>>
>> But if you have control over the DNS when the HTTP URL is requested
>> (which is what HTTPS protects against in this instance), you can
>> redirect it to any HTTPS URL you wish, and that resulting URL becomes
>> the claimed identifier.
>>
>>
>
> All you achieve in that case is (at worst) causing the legitimate user
> to log in as a different identifier.
>
>
That was the point of the original attack - causing someone to log into
an account controlled by the attacker. Presumably the value to the
attacker is in what the user does next, like upload something, or
disclose information.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/914c5b8a/attachment-0002.bin>
More information about the security
mailing list