[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openid-security
Subject:    [security] User Impersonation
From:       mart () degeneration ! co ! uk (Martin Atkins)
Date:       2007-03-05 18:29:42
Message-ID: 45EC6196.8090908 () degeneration ! co ! uk
[Download RAW message or body]

Paul C. Bryan wrote:
> 
> 3. I the attacker, setup my attacking OpenID page
> (http://attacker.org/attackjohn.html) with the following link
> relationships:
> 
>   openid.server = http://rogeidp.org/openid
>   openid.delegate = http://secureid.org/jsmith
> 
> 4. I go to John's favorite Wiki site, where he has authored a lot of
> content and developed a reputation using his OpenID identity. I can
> authenticate with the site just as he does, and impersonate him in all
> of my further deeds.
> 
> </scenario>
> 
> So, am I missing something?
> 

Yes, you are. :)

In the above situation, despite the "delegate" reference a site is 
required to use the "claimed identifier" 
http://attacker.org/attackjohn.html rather than the delegate identifier 
http://secureid.org/jsmith, so even if http://rogeidp.org/openid 
provides a positive assertion for http://secureid.org/jsmith the end 
site will identify you as http://attacker.org/attackjohn.html. You have 
gained nothing.



[prev in list] [next in list] [prev in thread] [next in thread]