[security] HTTP and HTTPS URL issue (was RE: security)
Pete Rowley
prowley at redhat.com
Fri Oct 27 19:49:24 UTC 2006
Josh Hoyt wrote:
> On 10/27/06, Pete Rowley <prowley at redhat.com> wrote:
>> And my point is that that is the whole point - a user is logged into an
>> account controlled by an attacker. The problem is "if this redirect URL
>> is new to the Relying Party" is like saying "if this is a badly crafted
>> attack."
>
> If you can get someone to click on a URL, you can get them logged in
> as whatever identifier you want to, by initiating logging in with the
> new identifier. This is regardless of SSL/non-SSL, IdP-initiated login
> or RP-initiated.
>
OK now that is a good candidate for the wiki and something in the
guidelines document.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/59b6460b/attachment-0002.bin>
More information about the security
mailing list