Replay attacks vs man in the middle
rubys at intertwingly.net
Fri May 20 11:37:32 PDT 2005
Martin Atkins wrote:
> Sam Ruby wrote:
>> In fact, the easiest thing I could do is to let the system go through
>> the motions. I initiate a post to your website saying that I am Fred.
>> Fred's server serves up a page which asks me to authenticate. I, of
>> course, fail, but instead of the IFrame passing back up this little
>> bit of information, I pass up a different response instead. Remember,
>> I have Greasemonkey. This browser does what *I* want it to do.
>> From your perspective, you served up a comment form. You initiated a
>> redirect to Fred's machine. You get back a response that says "Fred
>> says it was OK". What's not to like?
> That's right. It'll all work fine until you submit it to the consumer
> site, at which point it'll try to validate your token but the ID server
> key won't match.
> All you've done is conned your client. The server knows better.
That would be cool, but I miss the part in the specs where it says this.
But, assuming that were so, then I would assert that this is the part
that is necessary and sufficient. The redirection is not the crucial
part, this is.
Now, given that I can install software on my client, all I need to be
able to do is generate a token that matches my ID server. This means
that I can avoid all the round trips.
- Sam Ruby
More information about the yadis