[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[higgins-dev] Attack on CardSpace possible with CloudSelector?
|
Hello there,
I've recently stumbled upon a paper that describes an attack that can
be made on CardSpace. The article can be downloaded here:
http://demo.nds.rub.de/cardspace/GaScXu08_CardSpaceTR.pdf.
To summarize briefly, after a successful DNS spoof attack, a malicious
Web server is accessed when a user tries to visit a RP's site. The
malicious server then redirects the user to the legit page, but breaks
the "same origin policy". That makes it able to intercept the token
that is sent to the RP by the card selector through the browser.
Basically, I was wondering if this attack is possible if the user is
using the CloudSelector. It is my understanding that the token that
comes from the selector and is sent to the RP passes through the
browser, even though the selector is not running on the user's
computer. If it's the case then the attack would be possible.
Am I missing something? Any thoughts?
Thanks,
Jonathan
