[security] Phishing issues with return_to url and realm
Dick Hardt
dick at sxip.com
Tue Feb 6 07:39:11 UTC 2007
Hi Allen, thanks for the well written email, a couple comments
inserted ...
On 5-Feb-07, at 11:23 PM, Allen Tom wrote:
> First of all, anyone can craft valid Auth Requests using spoofed
> values
> for openid.return_to and openid.realm. This has very nasty
> consequences
> for sites running redirect servers for click tracking purposes,
> such as
> these:
>
> http://x.go.com/cgi/x.pl?goto=http://www.jyte.com
> http://www.aol.com/ams/clickThruRedirect.adp?1,2,http://www.jyte.com
>
> A rogue RP could mask its identity and claim to be go.com or
> aol.com by
> hiding behind these redirect servers. When serving the Auth
> Request, an
> OP like myopenid.com will display this message to the user:
>
> "A site identifying as all sites matching http://anything.go.com has
> asked us for confirmation that xxxx is your identity URL..."
WOW, this is BAD!
<snip>
>
> The best way to resolve this issue is to define a way for the OP to
> verify that the return_to URL is actually a valid OpenID endpoint, and
> to also verify its association.
>
> I propose that an RP's return_to url expose an interface to allow
> it to
> identify itself as an OpenID 2.0 endpoint, and to also identify its
> association with the OP. Obviously, OPs must not follow redirects when
> interrogating the RP's endpoint.
Good suggestion on how to resolve. Keen to see what others think.
Would be nice if the OP checking the RP could be cached so that it
does not have to happen for each request.
-- Dick
More information about the security
mailing list