[security] Passwords in the clear
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Feb 10 22:00:28 UTC 2007
Claus Färber wrote:
>
> Both of you are still missing the point: Using HTTPS does not help if
> the rouge RP redirects to a MITM phishing site which has a valid SSL/TLS
> certificate.
>
>
Hehe...I like this one...good thought! Which means that any IDP must
implement better authentication procedures in order to prevent phishing
attacks, such as two-factor-authentication or other improved
authentication procedures! This would make a password harvested by a
rouge site pretty useless...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20070211/98e5b81d/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20070211/98e5b81d/attachment-0002.bin>
More information about the security
mailing list