I understand that Claus, my _only_ point was that any decent OP will be using SSL. I wasn't making any statement toward this preventing the Rogue RP attack.
--David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Claus Färber Sent: Saturday, February 10, 2007 1:51 PM To: [email protected] Subject: Re: [security] Passwords in the clear Recordon, David schrieb: > Hey Claus, > I was replying in support of what Ka-Ping said which was: > You're talking about a different problem, which we already know how to > address -- the login form should use HTTPS instead of HTTP. Both of you are still missing the point: Using HTTPS does not help if the rouge RP redirects to a MITM phishing site which has a valid SSL/TLS certificate. You can't expect all users to check the domain and to do right thing (especially if the MITM uses domain names like my0pen1d.com or myopenid.httpcache.example.com). In this case, the MITM gets the password _in_ _the_ _clear_ (thanks to HTTP's basic auth or form submission), even if the communication between the client and the MITM is encrypted. Claus _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
