OpenID is really just a protocol which allows a user to prove access to an identifier, and is conceptually identical to the Password Reset via email flow deployed by countless websites today.
Many websites allow users to login either by entering their password, or by proving ownership of the email address associated with the account (usually known as Password Reset via email). As best described by Simon Willison, logging in with an OpenID is really the same thing as allowing Password Reset via email, just with a much better user interface. In both cases, the Relying Party requires the user to prove access to an external account. Although I am certainly not a crypto or email expert, I believe that Password Reset use case is equally vulnerable to this DNS/HTTPS vulnerability, if not more so, as the Relying Party could be tricked into sending the password reset email to the attacker. Again, as many others on this list have pointed out, I am perplexed as to why OpenID is being singled out for this vulnerability with DNS and HTTPS. Allen Ben Laurie wrote: > OpenID is "singled out" because I am not talking about a potential > problem but an actual problem. > _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
