I'm half asleep and not feeling very well today, so please bear that in mind with the following question...
-
I'm half asleep and not feeling very well today, so please bear that in mind with the following question...
In the context of a third party Digital Identity provider using PKI, can a phishing site act as a socks proxy (or a plain MitM) for the site that wants authentication, with the third party digital identity provider obviously going direct to the victim because it's a different site (or app), and then just steal the session token once the authentication process is finished?
The point being (possibly) that the PKI gubbins could happen purely with the ID provider. Is there potentially some sort of handshake via the client between the ID provider and the authentication server which stops this? Should I just go and have a nap?
-
I'm half asleep and not feeling very well today, so please bear that in mind with the following question...
In the context of a third party Digital Identity provider using PKI, can a phishing site act as a socks proxy (or a plain MitM) for the site that wants authentication, with the third party digital identity provider obviously going direct to the victim because it's a different site (or app), and then just steal the session token once the authentication process is finished?
The point being (possibly) that the PKI gubbins could happen purely with the ID provider. Is there potentially some sort of handshake via the client between the ID provider and the authentication server which stops this? Should I just go and have a nap?
Just going through OpenID Connect stuff for the first time in ages but I'm too tired today. Ho hum.
-
Just going through OpenID Connect stuff for the first time in ages but I'm too tired today. Ho hum.
@davep It'll take you a fraction of the time when you're not tired and ill.
-
I'm half asleep and not feeling very well today, so please bear that in mind with the following question...
In the context of a third party Digital Identity provider using PKI, can a phishing site act as a socks proxy (or a plain MitM) for the site that wants authentication, with the third party digital identity provider obviously going direct to the victim because it's a different site (or app), and then just steal the session token once the authentication process is finished?
The point being (possibly) that the PKI gubbins could happen purely with the ID provider. Is there potentially some sort of handshake via the client between the ID provider and the authentication server which stops this? Should I just go and have a nap?
-
@Peacefulz Cheers
I'll go through that when I'm less befuddled.
-
Just going through OpenID Connect stuff for the first time in ages but I'm too tired today. Ho hum.
-
R relay@relay.infosec.exchange shared this topic
