[security] HTTP and HTTPS URL issue (was RE: security)
Pete Rowley
prowley at redhat.com
Fri Oct 27 19:07:50 UTC 2006
Dan Lyke wrote:
> On Fri, 27 Oct 2006 11:49:13 -0700, Pete Rowley wrote:
>
>> That was the point of the original attack - causing someone to log
>> into an account controlled by the attacker.
>>
>
> Martin's point is that the Relying Party needs to process the
> redirected-to URL as the identifier, so if this redirect URL is new to
> the Relying Party, it should be treated as an entirely new URL, not
> the one the user initially entered.
>
And my point is that that is the whole point - a user is logged into an
account controlled by an attacker. The problem is "if this redirect URL
is new to the Relying Party" is like saying "if this is a badly crafted
attack."
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/1f24a1fc/attachment-0002.bin>
More information about the security
mailing list