[OpenID] Privacy Concern with Simple Registration Extension
Kevin Turner
kevin at janrain.com
Mon Dec 4 19:22:07 UTC 2006
On Thu, 2006-11-30 at 18:11 -0800, Drummond Reed wrote:
> I believe the answer is "Yes", if the OP wants to help protect the user's
> privacy, the OP needs to check to see if the return_to URL is https, and
> warn the user otherwise.
Yes Drummond, this is correct. Kay, if there's a possibility of
intercepting traffic between the user's browser and the relying party,
then any information sent may be exposed. A HTTPS connection with a
certificate signed by a trusted authority is the generally accepted way
to minimize this risk. (Unfortunately, the provider doesn't know what
certificate the browser is seeing for the RP site, so it can't help
evaluate the strength of that HTTPS connection.) This applies equally
to the identifier fields in standard OpenID, to fields in the Simple
Registration extension, and to any input the browser provides directly
to the RP, whether by input forms or cookies or what-have-you.
>
> I hope David, Josh, Kevin, or someone who knows this extension well can jump
> in here and confirm.
>
> =Drummond
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Kay Lee
> Sent: Wednesday, November 29, 2006 12:13 AM
> To: general at openid.net
> Subject: Privacy Concern with Simple Registration Extension
>
> Hi members.
> I'm testing the Simple Registration Extension to support with our
> OpenID provider.
> recently I have found that in the response from server, via browser,
> to the consumer with mode 'id_res' normal response for request with
> registration field required, the user's registration field, such that
> e-mail, nickname, ... are transferred in just http GET parameter.
> Uhm.... and the return_to URL consumer provided was not https. I think
> there is a danger to expose the user's field. Do I must check whether
> the consumer's return_to URL is https ???
>
> http://openid.net/specs/openid-simple-registration-extension-1_0.html
>
> Sincerely. Kay.
More information about the general
mailing list