[security] HTTP and HTTPS URL issue (was RE: security)
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Oct 27 19:11:17 UTC 2006
BTW, did anybody of you notice, that the exchange of information
(assoc_handle) between the RP and IDP is completely optional?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
Pete Rowley wrote:
> Dan Lyke wrote:
>> On Fri, 27 Oct 2006 11:49:13 -0700, Pete Rowley wrote:
>>
>>> That was the point of the original attack - causing someone to log
>>> into an account controlled by the attacker.
>>>
>>
>> Martin's point is that the Relying Party needs to process the
>> redirected-to URL as the identifier, so if this redirect URL is new
>> to the Relying Party, it should be treated as an entirely new URL,
>> not the one the user initially entered.
>>
> And my point is that that is the whole point - a user is logged into
> an account controlled by an attacker. The problem is "if this redirect
> URL is new to the Relying Party" is like saying "if this is a badly
> crafted attack."
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/49690778/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/49690778/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/49690778/attachment-0002.bin>
More information about the security
mailing list