On Tue, Jun 8, 2010 at 12:45 PM, SitG Admin <[email protected] > wrote:
> Just passing through, between one relay and another: > > >Thought experiment: Would you be satisfied if xauth were baked into > Chromium (hosted at www.chromium.org)? If so, would it be sufficient to > CNAME xauth.org to www.chromium.org and serve up JS from there, signed > with the Chromium.org private key? > > Assume that ALL requests are protected with SSL, so that the contents of > communications cannot be spied upon. An eavesdropper can STILL figure out > when a user is logging in with OpenID (and, with attention to timing, WHICH > sites they are logged in to!) by looking for requests to the IP address of > the central server. > (1) Assume the content is marked cacheable for a year, so in general an actual request to the central server will be a rare/semi random event; is this really a useful signal to attackers? (2) If an eavesdropper can listen in on all your network traffic, can't they see your HTTP requests to IdP and RP (and everything else) directly? > What do we expect them to do in defense of this attack, route all their > communications through random public proxies? > If you are worried about MITM attacks between you and the Internet (or eavesdropping on all of your traffic patterns) then you probably want something along the lines of Tor routing as a basic start, yes. > > -Shade >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
