Replay attacks vs man in the middle
Martin Atkins
mart at degeneration.co.uk
Fri May 20 10:54:56 PDT 2005
Sam Ruby wrote:
>
> In fact, the easiest thing I could do is to let the system go through
> the motions. I initiate a post to your website saying that I am Fred.
> Fred's server serves up a page which asks me to authenticate. I, of
> course, fail, but instead of the IFrame passing back up this little bit
> of information, I pass up a different response instead. Remember, I
> have Greasemonkey. This browser does what *I* want it to do.
>
> From your perspective, you served up a comment form. You initiated a
> redirect to Fred's machine. You get back a response that says "Fred
> says it was OK". What's not to like?
>
That's right. It'll all work fine until you submit it to the consumer
site, at which point it'll try to validate your token but the ID server
key won't match.
All you've done is conned your client. The server knows better.
More information about the yadis
mailing list