Investigation: Live ID on

    General discussion

  • To see labeled trace (links to see raw traffic is in benign trace)

    benign trace                               scenario (A)                        scenario (B)                      scenario (C)

    Understanding of the trace:

    1. IdP ( delivers the secret token t to target website ( The goal of the attacker should be to steal t at certain point.
    2. wreply is the return URL

    Tuesday, February 07, 2012 7:43 PM

All replies

  • id in BRM1 should be the identity for replying party website. For example, for, it is 264960; for, it is 1184; and for, it is 64855.

    lc in BRM1 is a constant. It is always 1033.

    ct in BRM1 should be timestamp: the value in raw trace1 < trace2 < trace3, and the time of capturing of the trace is trace1 < trace2 < trace3, meaning that the value is increasing according to time.
    Tuesday, February 07, 2012 10:54 PM