security

[Daniel E. Renfer]

We have 2 issues here. SSL on the RP, and SSL on the IdP. I think the
interchanging of the two is causing a lot of confusion on this thread
about what the security issues are, and where they lie.

SSL on the IdP for the end user is vital, but should not be required.
As an end user, choosing a IdP means that I must trust that particular
company to protect my identity.This is really two parts, I must trust
my claimed identity to give the correct server information to the RP,
and I must trust the delegated IdP to be secure.

If the flow between my personal website and the RP becomes corrupted,
then the RP could be made to believe that I trust
http://authorize.everybody.com/openid as my IdP as opposed to
https://authorize.onlyme.com/openid. On the other hand, as an end
user, I have to make sure I trust the most secure IdP out there. I'm
going to want to make sure that onlyme.com is the most secure IdP
available. myopenid and verisign are going to be much bigger targets
for hackers than the hundreds/thousands of individual
bloggers/net-citizens that delegate to them.

Socially, any IdP that is not using SSL should be shunned and is
probably not a good choice as the guardian of your identity, just as a
site that accepts unsecure username/passwords is probably not the
wisest site to use the same username/password combo that you use for
your bank. (This is worse with OpenId because one of the design goals
was to create a verifiable link between the usernames at the two
sites.) A security-conscious RP (like my bank) is going to be
concerned about the strength of the assertion coming into it's site
just as they want me to have at least 6 characters with at least one
number, but if I don't secure my own identity, that's really not the
fault of the RP is it? If I call up my bank and tell them "I posted my
username and password to 30+ newsgroups and now all my money is gone,
WTF man?" they wouldn't really be able to claim a flaw in their
security.

I can see the ultra-secure RP's rejecting me, or at least advising
that my Id contains potential security flaws because I didn't know any
better and I thought that maybe http://authorize.everbody.com/openid
was a good choice and point me to an FAQ explaining that I might want
to consider a secure IdP like https://authorize.onlyme.com/openid
instead. As an end user, I'd probably appreciate that. I would
probably get a little annoyed if a site denied my login because my IdP
used http, unless maybe it was a government or medical site, then I
might understand. If some new site that I was checking out wouldn't
let me use my identity, I would probably get annoyed that they were
being pedantic and move along to some other site.

So that about covers SSL on the IdP. I want to make the choice to have
a good company guarding against a hacker having access to all of the
sites that I go to. SSL on the RP really depends on the nature of what
I'm doing on that site. If my bank accepted OpenId's and they only had
http, I would probably look for a different bank. If johnqblogger.com
used OpenId, I wouldn't be overly worried giving my identity in the
clear, the worst thing that's going to happen is someone might be able
to post a comment as me. OpenId goes a long way towards being secure
even over unencrypted communication, (in most cases) so SSL being
required on the RP should be important to the end user, but not
mandated.

Forcing RP's to use SSL for OpenId means that I, as well as all of the
other small-time domains running little more than a Wordpress install
on a shared host wouldn't be able to implement OpenId without shelling
out the extra money for a unique IP address. I understand the benefits
of SSL, but I doubt that most people would be willing to pay extra
just so they can do a slight upgrade to their commenting system
identifying what would otherwise be only semi-anonymous comments.

For any site that deals in sensitive information, SSL is a must. I
think the general web-browsing public is just starting to understand
that if you don't see that little lock icon at the bottom of your
browser, then there is the possibility of that information being
intercepted. Posting my reply to some blogger is not the same as
posting my SSN and Credit Card Number and list of venereal diseases
contracted in the past 6 months. (in my case, none)

I'm +1 to strongly suggesting that SSL be used at every step of the
chain, but I'm -1 to SSL being a MUST at any step of the chain.


On 10/23/06, Martin Atkins <mart at degeneration.co.uk> wrote:
> Alaric Dailey wrote:
> >
> > Finally, if LiveJournal doesn't want to use SSL, especially with low-cost
> > and free SSL certs available, I have to wonder, why?  What is reason?  Too
> > cheap to buy cheap certs, lack of interest in their users privacy? Maybe
> > they only see their support of OpenID as a good PR move and only want to put
> > minimal effort into it.
> >
>
> I can't speak for LiveJournal as far as their reasons for not allowing
> SSL on the OpenID IdP, but LiveJournal *does* have an SSL cert and a
> secured site where user signups/payments are accepted. If pushed, I
> can't imagine it'd be incredibly difficult to run the OpenID IdP on the
> SSL server instead of the cleartext one.
>