[OpenID] Selectively Redirecting OpenID Traffic To HTTPS

[Martin Atkins]

Sean Reilly wrote:
> I think the point is that OpenIDs should start with https: so that  
> there is no http->https redirection needed.  If any step of the  
> process goes through a normal http exchange/redirect then there is a  
> weak link in the chain where a bad guy could take over the  
> authentication.
> 
> Or maybe I'm missing something having jumped into the middle of the  
> conversation.
> 

In general it is true that any HTTP part of the transaction defeats the 
HTTPS used in others, but the identifier URL is an exception.

If you enter sean.example.com, it'll initially try 
http://sean.example.com/ and get redirected to 
https://sean.example.com/. The protocol spec then requires RPs to use 
the https version as the claimed_identifier. This means that when you 
are ultimately authenticated, it will be as the https version of the URL.

If an attacker compromises the http form of the URL, there is no way for 
him to authenticate as the https version, so while the http version has 
been compromised you (presumably) never actually used that to log in to 
anything, so your existing accounts are safe.

There are still some attacks that can be done in the above situation, 
such as a variation on phishing done by interfering with the insecure 
version of your identifier to cause you to be sent to a lookalike of 
your IdP. Fortunately this attack is harder to perpetrate because it can 
only be done with you in the loop.

If you are concerned about the latter attack, then you can either enter 
https:// explicitly or wait until you get to your IdP and verify its SSL 
cert to make sure you haven't been tricked.