Dick Hardt wrote: > > On 8-Feb-07, at 5:03 PM, Allen Tom wrote: > >> Hi Johnny, >> >> If the OP verifies the return_to by following all redirects until >> reaching the destination, then an evil RP could craft an Auth Request >> with the following parameters: >> >> realm=*.goodsite.com >> return_to=man.in.middle.redirect.com/legit_return_to.goodsite.com > > In this example, if the realm is not contained in the domain of the > return_to, the OP would report an error to the user. There could be several levels of redirection, so depending on how the spec is phrased, the evil RP could instead do:
realm=*.goodsite.com return_to=redirector.goodsite.com/evilrp.com/legit.goodsite.com Anyway, allowing redirects in the return_to makes each intermediate host a man in the middle. At the very least, the top level url in the return_to should be able to verify that it's acutally an Open ID 2.0 entrypoint, and it might even be desirable for the OP to be able to verify the association that it has with it. For example, the OP could ask the RP to tell it its association handle, or perhaps to verify that it knows the secret for the given handle. Allen _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
