[Psi-devel] Fixes to XEP-0070 implementation
Norman Rasmussen
norman at rasmussen.co.za
Tue Dec 5 13:17:47 PST 2006
On 12/5/06, Maciek Niedzielski <machekku at uaznia.net> wrote:
> 1) allow empty transaction id (as discussed with Remko)
This is prompted by my current OpenID implementation (which I need to
rework to fix). After the chat with Remko, I realise that transaction
id is critical for security purposes. It should be extremely visible
to the user in the confirmation window, and the user should be
prompted to double check that it matches what they typed into the
browser window.
The transaction id is the _only_ safety mechanism in place that stops
someone else typing your JID into the same website, and logging in as
you (if you click accept in your XMPP client). This is an easy social
engineering problem too, which is unfortunate.
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the psi-devel
mailing list