[OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Martin Atkins
mart at degeneration.co.uk
Fri Jan 11 18:03:37 UTC 2008
Sean Reilly wrote:
> I think the point is that OpenIDs should start with https: so that
> there is no http->https redirection needed. If any step of the
> process goes through a normal http exchange/redirect then there is a
> weak link in the chain where a bad guy could take over the
> authentication.
>
> Or maybe I'm missing something having jumped into the middle of the
> conversation.
>
In general it is true that any HTTP part of the transaction defeats the
HTTPS used in others, but the identifier URL is an exception.
If you enter sean.example.com, it'll initially try
http://sean.example.com/ and get redirected to
https://sean.example.com/. The protocol spec then requires RPs to use
the https version as the claimed_identifier. This means that when you
are ultimately authenticated, it will be as the https version of the URL.
If an attacker compromises the http form of the URL, there is no way for
him to authenticate as the https version, so while the http version has
been compromised you (presumably) never actually used that to log in to
anything, so your existing accounts are safe.
There are still some attacks that can be done in the above situation,
such as a variation on phishing done by interfering with the insecure
version of your identifier to cause you to be sent to a lookalike of
your IdP. Fortunately this attack is harder to perpetrate because it can
only be done with you in the loop.
If you are concerned about the latter attack, then you can either enter
https:// explicitly or wait until you get to your IdP and verify its SSL
cert to make sure you haven't been tricked.
More information about the general
mailing list