[security] Passwords in the clear
Recordon, David
drecordon at verisign.com
Fri Feb 9 19:48:24 UTC 2007
Hey Claus,
I was replying in support of what Ka-Ping said which was:
You're talking about a different problem, which we already know how to address -- the login form should use HTTPS instead of HTTP.
--David
-----Original Message-----
From: security-bounces at openid.net [mailto:security-bounces at openid.net] On Behalf Of Claus Färber
Sent: Friday, February 09, 2007 12:24 AM
To: security at openid.net
Subject: Re: [security] Passwords in the clear
Recordon, David <drecordon at verisign.com> schrieb/wrote:
> +1, any OP worth its code will use HTTPS when working with passwords or user data.
That does not help if a rouge RP sends the user elsewhere and the MITM provides a valid SSL certificate for his "lookalike" domain name.
Claus
_______________________________________________
security mailing list
security at openid.net
http://openid.net/mailman/listinfo/security
More information about the security
mailing list