Hi All,
I believe that everything in the Security Best Practices document has
already been discussed publicly, except for the checkid_immediate "open
redirector" issue listed in the OP Best Practices section.
In a nutshell, checkid_immediate can be used as an open redirector,
forcing the OP to redirect the browser with the response to the
return_to URL. This interface can potentially be misused to make
checkid_immediate behave similarly TinyURLs, in which an attacker could
obfuscate a link by hiding it behind an OP's checkid_immediate interface.
If anyone would like to discuss using checkid_immdiate as an Open
Redirector, this we should do it here.
Thanks
Allen
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
