[security] HTTP and HTTPS URL issue (was RE: security)
Dan Lyke
danlyke at flutterby.com
Fri Oct 27 19:22:38 UTC 2006
On Fri, 27 Oct 2006 12:18:58 -0700, Josh Hoyt wrote:
> If you can get someone to click on a URL, you can get them logged in
> as whatever identifier you want to, by initiating logging in with the
> new identifier. This is regardless of SSL/non-SSL, IdP-initiated
> login or RP-initiated.
Right. Must keep in mind my attack modes. The concern is that an
attacker be able to represent themselves to a Relying Party as an
OpenID controlled by someone else.
Dan
More information about the security
mailing list