Realm spoofing spec patch
Josh Hoyt
josh at janrain.com
Thu May 24 23:19:11 UTC 2007
Hello,
I've added a section to the specification[1] about performing
verification on the realm to avoid realm spoofing. In short, realm
spoofing is the problem of exploiting a bug on a site that a user
would trust to trick them into sending their information to a site
that they would not trust. This is very similar to many phishing
attacks. The difference between this type of attack and a standard
phishing attack is that the user will (usually) only see the realm,
and the realm may actually be trusted, so even an educated user who's
paying attention may be vulnerable.
There are also (minor) changes to the section on discovering relying
parties[2].
The fix that is described is for the relying party to provide a
whitelist of URL patterns that should be usable as return_to
URLs. Relying parties should be as restrictive as possible when
specifying return_to URLs.
This is the fix that was discussed at the Internet Identity Workshop,
by all of the spec editors and several prominent members of the OpenID
community. Please review the additions. If you'd like to see the
specific changes, you can look at the diffs in revision control[3].
Josh
1. <http://j3h.janrain.com/openid-specs-rendered/openid-authentication_svn-327.html#return_to_verification>
2. <http://j3h.janrain.com/openid-specs-rendered/openid-authentication_svn-327.html#return_to_verification>
3. <http://openid.net/svn/listing.php?repname=specifications&path=&rev=326&sc=1>
More information about the specs
mailing list