tag:blogger.com,1999:blog-6894552.post8948050388017137781..comments2008-07-28T10:50:04.503-07:00Comments on JMPInline: How I have taken control of my own identity, part ...Andrew Arnotthttps://profiles.google.com/114635397638720587251noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-6894552.post-73990725197735848842008-07-28T10:50:00.000-07:002008-07-28T10:50:00.000-07:00Hi Neil,<br><br>As I recall (it's been a while sin...Hi Neil,<BR/><BR/>As I recall (it's been a while since I reviewed Mads' and Troy's code) the security hole is that CheckAuthentication implicitly trusts the op_endpoint parameter. As per the OpenID 2.0 spec section 11.2 this parameter and a few others must be verified either by rediscovery or by recalling a previous discovery and comparing the results with what is included in the positive Andrewhttp://www.blogger.com/profile/13632400519774640095noreply@blogger.comtag:blogger.com,1999:blog-6894552.post-75042012568339158882008-07-28T09:02:00.000-07:002008-07-28T09:02:00.000-07:00This is not the right place to comment, I'm sure, ...This is not the right place to comment, I'm sure, but today I stombled on<BR/>http://www.squaredroot.com/post/2008/04/OpenID-Check_Authentication.aspx<BR/><BR/>and your comment<BR/><BR/>Security hole<BR/>Hi Troy,<BR/>This is a good addition to Mads' implementation, but unfortunately this also has a security hole that would allow me to log in as anyone. Email me and I'll explain what you need to foreverneilyounghttp://foreverneilyoung.blogspot.com/noreply@blogger.com