[security] MyOpenID
gaz_sec at hushmail.com
gaz_sec at hushmail.com
Wed Mar 21 18:51:51 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Matt
>Which is the last 'the site' you're referring to, the Relying
>Party
>(e.g. ficlets)? Take a look at the Single Sign Out topics that
>have
>been discussed on the OpenID lists. Do you have a step by step
>walkthrough example?
Here are the steps I took
1. Logged onto the OpenID server (https://www.myopenid.com/signin)
2. Logged onto the ficlets.com with my OpenID
(http://ficlets.com/signin/signin?ret=/)
3. Selected Trust forever on the OpenID server.
4. Logged out of ficlets.com.
5. Visited the my created site to log back on automatically.
>>
>> 2. The second problem is more serious you can create a specially
>> crafted web page to automatically log on to a web site and also
>add
>> that web site to the allow forever trusted site. The only
>> requirement is that you have to be logged onto the OpenID
>server.
>
>How would you do this? Do you have an example?
I do have a working example that works in 1 browser at the moment
but I can't send it because it is currently being fixed by
MyOpenID. When I find out it has been fixed I shall send the
example to the list.
>>
>> Both cases can be prevented if the OpenID specification requires
>> authorisation regardless of a cached token.
>
>That would defeat the purpose of some of the key benefits. I'd
>like
>to know more about which specific issues you're referring to.
>
>Thanks,
>Matt
>
>>
>> Cheers
>>
>> Gareth
>> -----BEGIN PGP SIGNATURE-----
>> Note: This signature can be verified at
>https://www.hushtools.com/
>> verify
>> Version: Hush 2.5
>>
>>
>wpwEAQECAAYFAkYBNAoACgkQrR8fg3y/m1BUeAQAlXk1/BfVU5InHjrrQ6uRP/EpPnM
>F
>>
>XcQiIgRnPW+QVwlMkyXIFtjx112xT4BlaNrueKed2YUipfNdL9x+XEYGvRj+1qQTESA
>H
>>
>vfV891koLJyiGPUC/keiTsDnGxJt6CesrFVzXXyVQXLRPk8AgeAUaBy1UvbP0zMxNkr
>P
>> dW0wgjo=
>> =68JR
>> -----END PGP SIGNATURE-----
>>
>> --
>> Click for FHA loan, $0 lender fees, low rates & approvals
>nationwide
>> http://tagline.hushmail.com/fc/CAaCXv1KYDvIFdAGCheS3qVfPXuAy8Jc/
>>
>>
>> _______________________________________________
>> security mailing list
>> security at openid.net
>> http://openid.net/mailman/listinfo/security
>
>------------------
>Matt Pelletier
>http://www.eastmedia.com -- EastMedia
>http://www.informit.com/title/0321483502 -- The Mongrel Book
>http://identity.eastmedia.com -- OpenID, Identity 2.0
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5
wpwEAQECAAYFAkYBfqMACgkQrR8fg3y/m1AvAwP+MpuOTiry3aCX5tt9eUf7UBNP/dom
sdf5zyeO565qZTToCtPe2529vG5N2p4zfA1lZbVDb3FrEOzZjxV64QdKQDe/jEKFLowg
2dr6Zu/D7dOy5JubPh15YQBJrCg6MnoatfULf1wLCyptQRqXGljnBLMzPcRG5hUxsNSY
7/ObHBY=
=H4dV
-----END PGP SIGNATURE-----
--
Need cash? Click to get an instant cash loan
http://tagline.hushmail.com/fc/CAaCXv1KmkdemTRabrO9mG5o8ULcCjp6/
More information about the security
mailing list