Replay attacks vs man in the middle

Martin Atkins mart at
Fri May 20 10:54:56 PDT 2005

Sam Ruby wrote:
> In fact, the easiest thing I could do is to let the system go through 
> the motions.  I initiate a post to your website saying that I am Fred. 
> Fred's server serves up a page which asks me to authenticate.  I, of 
> course, fail, but instead of the IFrame passing back up this little bit 
> of information, I pass up a different response instead.  Remember, I 
> have Greasemonkey.  This browser does what *I* want it to do.
>  From your perspective, you served up a comment form.  You initiated a 
> redirect to Fred's machine.  You get back a response that says "Fred 
> says it was OK".  What's not to like?

That's right. It'll all work fine until you submit it to the consumer 
site, at which point it'll try to validate your token but the ID server 
key won't match.

All you've done is conned your client. The server knows better.

More information about the yadis mailing list