anders conbere wrote: > On Dec 20, 2007 12:28 PM, Alex Jones <[EMAIL PROTECTED]> wrote: >> >> On 20 Dec 2007, at 20:18, anders conbere wrote: >> >>> In what I'm describing you wouldn't. The work flow is like this. >>> >>> 1) Site requests Authentication, >>> 2) you enter your JID >>> 3) site sends an http request to the jabber server requesting >>> confirmation of user identity >>> 4) Jabber server requests user credentials >> This is the broken part, the part that can be maliciously abused. > > How could that be abused? You're entering credentials at the jabber > server that you've already signed up for an account at. It could > possibly be phished, but there are methodologies around that as well.
I think what Alex is worried about is this flow: 1. Site requests authentication 2. I enter your JID 3. Site sends an HTTP request to your Jabber server requesting confirmation of user identity 4. Jabber server requests user credentials Lather, rinse, repeat. Voila, a new form a spam. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
