Utkarsh Gupta <guptautkarsh2...@gmail.com> writes: > Just a quick question about this patch since I haven't really tested > this at all (however aware of the CVE), > Is checking signature before sending a request to openid.claimed_id URL > strict enough?
Yes, that is my understanding. If the signature is checked, that makes it impossible for a third party to change the claimed_id URL, rendering the attack impossible. I don't claim to be an expert on this however. -- Brian May <b...@debian.org>