[security] Passwords in the clear
Claus Färber
GMANE at faerber.muc.de
Sat Feb 10 21:50:52 UTC 2007
Recordon, David schrieb:
> Hey Claus,
> I was replying in support of what Ka-Ping said which was:
> You're talking about a different problem, which we already know how to address -- the login form should use HTTPS instead of HTTP.
Both of you are still missing the point: Using HTTPS does not help if
the rouge RP redirects to a MITM phishing site which has a valid SSL/TLS
certificate.
You can't expect all users to check the domain and to do right thing
(especially if the MITM uses domain names like my0pen1d.com or
myopenid.httpcache.example.com).
In this case, the MITM gets the password _in_ _the_ _clear_ (thanks to
HTTP's basic auth or form submission), even if the communication between
the client and the MITM is encrypted.
Claus
More information about the security
mailing list