[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security issues in standards (ruby-openid / CVE-2019-11027)

Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:

> Just a quick question about this patch since I haven't really tested
> this at all (however aware of the CVE),
> Is checking signature before sending a request to openid.claimed_id URL
> strict enough?

Yes, that is my understanding. If the signature is checked, that makes
it impossible for a third party to change the claimed_id URL, rendering
the attack impossible.

I don't claim to be an expert on this however.
Brian May <bam@debian.org>

Reply to: