<![CDATA[I'm half asleep and not feeling very well today, so please bear that in mind with the following question...]]>I'm half asleep and not feeling very well today, so please bear that in mind with the following question...

In the context of a third party Digital Identity provider using PKI, can a phishing site act as a socks proxy (or a plain MitM) for the site that wants authentication, with the third party digital identity provider obviously going direct to the victim because it's a different site (or app), and then just steal the session token once the authentication process is finished?

The point being (possibly) that the PKI gubbins could happen purely with the ID provider. Is there potentially some sort of handshake via the client between the ID provider and the authentication server which stops this? Should I just go and have a nap?

cc: @tychotithonus @atoponce

]]>https://board.circlewithadot.net/topic/c4a8b106-2d68-46bd-b41a-3dd7309c4c5b/i-m-half-asleep-and-not-feeling-very-well-today-so-please-bear-that-in-mind-with-the-following-question...RSS for NodeFri, 15 May 2026 02:51:53 GMTTue, 28 Apr 2026 10:09:54 GMT60<![CDATA[Reply to I'm half asleep and not feeling very well today, so please bear that in mind with the following question... on Tue, 28 Apr 2026 14:55:35 GMT]]>@davep

Yeah, my understanding is that if something is in the middle, then unless there's something like WebAuthn (or some other equivalent steps) that enforces binding -- cryptographic validation -- of the actual origin at the far end ... spoofing is possible.

@atoponce

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/tychotithonus/statuses/116482908831870320https://board.circlewithadot.net/post/https://infosec.exchange/users/tychotithonus/statuses/116482908831870320Tue, 28 Apr 2026 14:55:35 GMT<![CDATA[Reply to I'm half asleep and not feeling very well today, so please bear that in mind with the following question... on Tue, 28 Apr 2026 10:36:49 GMT]]>@Peacefulz Cheers 🙏

I'll go through that when I'm less befuddled.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/davep/statuses/116481891343602064https://board.circlewithadot.net/post/https://infosec.exchange/users/davep/statuses/116481891343602064Tue, 28 Apr 2026 10:36:49 GMT<![CDATA[Reply to I'm half asleep and not feeling very well today, so please bear that in mind with the following question... on Tue, 28 Apr 2026 10:28:42 GMT]]>@davep

PKCE: link

DPoP: link

This should send you in the right direction. You're correct. PKI alone is vulnerable.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/Peacefulz/statuses/116481859418575767https://board.circlewithadot.net/post/https://infosec.exchange/users/Peacefulz/statuses/116481859418575767Tue, 28 Apr 2026 10:28:42 GMT<![CDATA[Reply to I'm half asleep and not feeling very well today, so please bear that in mind with the following question... on Tue, 28 Apr 2026 10:23:03 GMT]]>@davep It'll take you a fraction of the time when you're not tired and ill.

]]>https://board.circlewithadot.net/post/https://beige.party/users/woe2you/statuses/116481837235160532https://board.circlewithadot.net/post/https://beige.party/users/woe2you/statuses/116481837235160532Tue, 28 Apr 2026 10:23:03 GMT<![CDATA[Reply to I'm half asleep and not feeling very well today, so please bear that in mind with the following question... on Tue, 28 Apr 2026 10:20:42 GMT]]>Just going through OpenID Connect stuff for the first time in ages but I'm too tired today. Ho hum.

Just a moment...

favicon

(hackmag.com)

@tychotithonus @atoponce

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/davep/statuses/116481827962433992https://board.circlewithadot.net/post/https://infosec.exchange/users/davep/statuses/116481827962433992Tue, 28 Apr 2026 10:20:42 GMT