vulnerabilities (if someone can steal the user's secure cookies in near-real time then they will be able to steal the user's browser session anyways).
I assume that attackers can obtain cookies/GET/POST from the browser; if they can hook the browser to such an extent that they capture server responses too, the user's screwed in any case, but mitigating attacks that rely on lesser forms of eavesdropping (whether the attacker steals a session or not) is the sort of edge case I've enjoyed developing defenses for :)
-Shade left behind "convenience" a while back, though . . . ;) _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
