[security] HTTP and HTTPS URL issue (was RE: security)
Josh Hoyt
josh at janrain.com
Fri Oct 27 19:18:58 UTC 2006
On 10/27/06, Pete Rowley <prowley at redhat.com> wrote:
> And my point is that that is the whole point - a user is logged into an
> account controlled by an attacker. The problem is "if this redirect URL
> is new to the Relying Party" is like saying "if this is a badly crafted
> attack."
If you can get someone to click on a URL, you can get them logged in
as whatever identifier you want to, by initiating logging in with the
new identifier. This is regardless of SSL/non-SSL, IdP-initiated login
or RP-initiated.
I realize that its a little worse that the user typed in his
identifier and then got logged in as someone else, but I think it'll
be a way more common attack if you want the user to be logged in as a
particular identifier to do it by initiating it separately, since that
does not require compromising DNS anywhere. You can do it in spam or
put a link on a message board on that site, etc.
So there is going to be a way to do it, even if SSL is required
everywhere, unless you only allow trusted IdPs.
Josh
More information about the security
mailing list