[OpenID] Selectively Redirecting OpenID Traffic To HTTPS

Hans Granqvist hans at granqvist.com
Wed Jan 16 05:50:05 UTC 2008


> If you are concerned about the latter attack, then you can either enter
> https:// explicitly or wait until you get to your IdP and verify its SSL
> cert to make sure you haven't been tricked.

Of course, a pretty simple attack is RP getting a domain, such as
http://verislgnlabs.com/, and a cheap cert that chains to
99.9% of trusted browser roots, and then silently rewriting your
URL to fit.

How well do we trust the RPs we try to log into? One could argue
that evil RPs are soon found out, but who are we to say that the
latest cool OpenID-enabled site is good, and we just *want* to
check it out!

OpenID aware browsers or add-ons could help. OPs that use
OTPs, challenge response, biometrics, etc. could also help. But
is it even feasible to force their use?

Anyone see this as an issue?

Hans



More information about the general mailing list