Hey Claus,
I was replying in support of what Ka-Ping said which was:
You're talking about a different problem, which we already know how to
address -- the login form should use HTTPS instead of HTTP.
--David
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Claus Färber
Sent: Friday, February 09, 2007 12:24 AM
To: [email protected]
Subject: Re: [security] Passwords in the clear
Recordon, David <[EMAIL PROTECTED]> schrieb/wrote:
> +1, any OP worth its code will use HTTPS when working with passwords or user
> data.
That does not help if a rouge RP sends the user elsewhere and the MITM provides
a valid SSL certificate for his "lookalike" domain name.
Claus
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
