As per a comment in the code, the TLS certificate for verifier.login.persona.org should be checked before the output is parsed.
Otherwise, an attacker could mount a DNS poisoning attack and swap the real verifier for their own hostile verifier. This would allow the attacker to impersonate anybody on the site.
As per a comment in the code, the TLS certificate for
verifier.login.persona.org
should be checked before the output is parsed.Otherwise, an attacker could mount a DNS poisoning attack and swap the real verifier for their own hostile verifier. This would allow the attacker to impersonate anybody on the site.