[security] Passwords in the clear
Recordon, David
drecordon at verisign.com
Sun Feb 11 05:45:09 UTC 2007
I understand that Claus, my _only_ point was that any decent OP will be using SSL. I wasn't making any statement toward this preventing the Rogue RP attack.
--David
-----Original Message-----
From: security-bounces at openid.net [mailto:security-bounces at openid.net] On Behalf Of Claus Färber
Sent: Saturday, February 10, 2007 1:51 PM
To: security at openid.net
Subject: Re: [security] Passwords in the clear
Recordon, David schrieb:
> Hey Claus,
> I was replying in support of what Ka-Ping said which was:
> You're talking about a different problem, which we already know how to address -- the login form should use HTTPS instead of HTTP.
Both of you are still missing the point: Using HTTPS does not help if the rouge RP redirects to a MITM phishing site which has a valid SSL/TLS certificate.
You can't expect all users to check the domain and to do right thing (especially if the MITM uses domain names like my0pen1d.com or myopenid.httpcache.example.com).
In this case, the MITM gets the password _in_ _the_ _clear_ (thanks to HTTP's basic auth or form submission), even if the communication between the client and the MITM is encrypted.
Claus
_______________________________________________
security mailing list
security at openid.net
http://openid.net/mailman/listinfo/security
More information about the security
mailing list