|
|
|
|
|
|
by gbhn
5452 days ago
|
|
|
BrowserID implements https://wiki.mozilla.org/Labs/Identity/VerifiedEmailProtocol From that document:
"destination.com retrieves Alice's public key from mailhost.com by using a webfinger lookup over SSL." So it looks to me that the system's security depends on the attacker not having compromised DNS such that the relying party's query of mailhost.com is intercepted. Depending on the implementation doing this "over SSL" provides some additional security over unchecked reliance on DNS, but given how frequently keys roll, it may not be that much in practice. |
|
|