The attack vector: I poison your local DNS resolver, or proxy all traffic, so that http://foo.blogspot.com actually resolves to http://evil.org's IP. If you follow the 302 redirect, you could be allowing evil.org to tell you what the "canonical" URL is. For example it could do a 302 redirect over to https://evil.org which presents a valid certificate and which can masquerade as the user's OP, capturing their password. (For users who check URLs, it could be https://my.open1d.org instead of https://evil.org.)
Pardon my ignorance regarding TLS, but I don't see what protection it would provide against such an attack. Is TLS similar to SSL with the exception of http prefix usage? Regards, Dmitry =damnian
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
